Daan Goumans - Write-ups

Facebook open redirect

UPDATE: looks like they fixed it now..

TL DR: Found an open redirect (bad fix bypass) on free.facebook.com, received a bot-reply stating that it is "false positive". No good reply after.

Original vulnerability explained here:
https://vagmour.eu/facebook-open-redirect-vulnerability-that-does-the-social-engineering-job-too/

(Ab)Using your well known friend

Almost every (web)company has developers or at least a website. Usualy they use subdomains like support.company.com or blog.company.com for various stuff. Sometimes a company (or a developer working there) spins up a subdomain test page and later forgets about it. This could lead to subdomain takeovers, non-patched internal services exposed to the internet or other bad stuff.

This is what I like to call:

a goldmine for bughunters!

One way of finding forgotten/interesting pages is through our well known friend Google by dorking. Most of the time I use the following query:
site:*.example.com -www -blog -etc...

After removing a lot of (to me) not interresing subdomains I stumbled upon the following url:
https://free.facebook.com

Vulnerability explained


In The Netherlands free.facebook.com is not available so we get the following response:


The domain looks different than the usual facebook webpages. After searching for some more info about the free. domain I found a blog [1] written by Evangelos Mourikis (@teh_h3ck). He explains that there was an open redirect vulnerability through a url parameter.

From OWASP:
An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.

Facebook replied to Evangelos that is was a false but "after the initial [public] post, facebook patched the vulnerability. It seems that the impact is higher than expected"

After digging in the page some more I found out that the website and open redirect is still working! Looks like a bad fix. The only change is that the parameter is a little different:

POC url, changed the next_uri parameter and got an open redirect through the facebook.com link:
https://free.facebook.com/zero/support/ineligible/?next_uri=https%3A%2F%2Fopenredirect.com%2F&_rdc=1&_rdr

I won't go into detail, you can read the blog from Evangelos for that, but what worries me is that after reporting it to facebook I got the same bot-reply as Evangelos, false positive..

Why won't they just hardcode the url back?

Lets see if posting public works and we get a working fix (a little better then last time)


Thanks to @teh_h3ck for the original blog

Timeline

14 June 2017: Initial bug report
14 June 2017: Reply from FB bot that it is a false positive
15 June 2017: Pointed FB to the blog from @teh_h3ck
15 June 2017: Reply from fb that they use blacklisting.
15 June 2017: Explained that they should just hardcode the url back to facebook.com
15 June 2017: Reply from fb that security impact of this bug is not significant.
7 July 2017: Looked again, page has changed. Looks like they fixed it now.

Just the same story as Evangelos..