Facebook open redirect
UPDATE: looks like they fixed it now..
TL DR: Found an open redirect (bad fix bypass) on free.facebook.com, received a bot-reply stating that it is "false positive". No good reply after.
Original vulnerability explained here:
(Ab)Using your well known friend
Almost every (web)company has developers or at least a website. Usualy they use subdomains like support.company.com or blog.company.com for various stuff. Sometimes a company (or a developer working there) spins up a subdomain test page and later forgets about it. This could lead to subdomain takeovers, non-patched internal services exposed to the internet or other bad stuff.
This is what I like to call:
One way of finding forgotten/interesting pages is through our well known friend Google by dorking. Most of the time I use the following query:
site:*.example.com -www -blog -etc...
After removing a lot of (to me) not interresing subdomains I stumbled upon the following url:
In The Netherlands free.facebook.com is not available so we get the following response:
The domain looks different than the usual facebook webpages. After searching for some more info about the free. domain I found a blog  written by Evangelos Mourikis (@teh_h3ck). He explains that there was an open redirect vulnerability through a url parameter.
Facebook replied to Evangelos that is was a false but "after the initial [public] post, facebook patched the vulnerability. It seems that the impact is higher than expected"
After digging in the page some more I found out that the website and open redirect is still working! Looks like a bad fix. The only change is that the parameter is a little different:
POC url, changed the next_uri parameter and got an open redirect through the facebook.com link:
I won't go into detail, you can read the blog from Evangelos for that, but what worries me is that after reporting it to facebook I got the same bot-reply as Evangelos, false positive..
Why won't they just hardcode the url back?
Lets see if posting public works and we get a working fix (a little better then last time)
[Writeup] Facebook open-redirect vulnerability that does the social engineering job too.https://t.co/7t6XNijEJD— teh3ck (@teh_h3ck) December 6, 2015
Thanks to @teh_h3ck for the original blog
Timeline14 June 2017: Initial bug report
14 June 2017: Reply from FB bot that it is a false positive
15 June 2017: Pointed FB to the blog from @teh_h3ck
15 June 2017: Reply from fb that they use blacklisting.
15 June 2017: Explained that they should just hardcode the url back to facebook.com
15 June 2017: Reply from fb that security impact of this bug is not significant.
7 July 2017: Looked again, page has changed. Looks like they fixed it now.
Just the same story as Evangelos..