Security researcher and founder of illSecure.com, Junaid Hussain, aka TriCk, has identified an open redirect vulnerability in Facebook.
The security hole was reported to Facebook around two months ago. The social media company has confirmed its existence and it is currently working on a fix.
In the meantime, since it’s a low-risk vulnerability, the expert published its details on illSecure.com.
“The parameter ‘redirect_uri’ suffers from an open redirect vulnerability but the parameters ‘app_id’ or ‘client_id’ are required for a redirect to take place so therefore they must be given a value, but as there is no validity checks in place any random INVALID value is accepted,” he explained in a blog post.
He added, “An attacker can add a random invalid value to the parameters ‘app_id’ and/or ‘client_id’ and then change the value of the parameter ‘redirect_uri’ and redirect Facebook users to malicious sites such as phishing sites or sites with malware.”
Check out the video POC published by the expert.