Security researcher Prakhar Prasad has identified an open redirect vulnerability on Facebook’s mobile site. Within two weeks after being notified, the company addressed the issue and rewarded the expert with $500 (375 EUR).
Prasad has explained
that when Facebook users try to visit external links, they’re redirected to a page
that checks if the website is malicious or not.
However, the expert found that on the mobile site, links to videos could be abused by cybercriminals to trick users into visiting arbitrary websites.
The links generated by Facebook for videos look something like this:
The researcher found that the "src" parameter could be manipulated to direct users to any website. For instance, an attacker could lure victims to an arbitrary site with the following URL:
In the example provided by the expert, the redirection is made to Google, but "http://www.google.com" could have been replaced with any other site.