Security researcher Prakhar Prasad has identified an open redirect vulnerability on Facebook’s mobile site. Within two weeks after being notified, the company addressed the issue and rewarded the expert with $500 (375 EUR).
However, the expert found that on the mobile site, links to videos could be abused by cybercriminals to trick users into visiting arbitrary websites.
The links generated by Facebook for videos look something like this:
The researcher found that the "src" parameter could be manipulated to direct users to any website. For instance, an attacker could lure victims to an arbitrary site with the following URL:
In the example provided by the expert, the redirection is made to Google, but "http://www.google.com" could have been replaced with any other site.