Expert Identifies Open Redirect Vulnerability on Facebook Mobile Site

Security researcher Prakhar Prasad discovered the security hole

By Eduard Kovacs on February 22nd, 2013 08:40 GMT

Security researcher Prakhar Prasad has identified an open redirect vulnerability on Facebook’s mobile site. Within two weeks after being notified, the company addressed the issue and rewarded the expert with $500 (375 EUR).

Prasad has explained that when Facebook users try to visit external links, they’re redirected to a page that checks if the website is malicious or not.

However, the expert found that on the mobile site, links to videos could be abused by cybercriminals to trick users into visiting arbitrary websites.

The links generated by Facebook for videos look something like this:

http://m.facebook.com/video_redirect/?src=[LINK_TO_VIDEO]

The researcher found that the "src" parameter could be manipulated to direct users to any website. For instance, an attacker could lure victims to an arbitrary site with the following URL:

http://m.facebook.com/video_redirect/?src=http://www.google.com

In the example provided by the expert, the redirection is made to Google, but "http://www.google.com" could have been replaced with any other site.
Open redirect vulnerability identified on Facebook mobile website
   Open redirect vulnerability identified on Facebook mobile website
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

Comments