How I find open redirect in Facebook

Hi Guys

My first valid bug on Hackerone and that too with high severity.

This is my first write up and I am going to share with you how I found an open redirect in l.facebook.com. So without wasting any time let’s get started.

On a fine evening one of my old friends sent me a Facebook link and he told me that don’t open it otherwise you will get hacked. I was like REALLY.

I clicked the link and it redirected me directly to Instagram. I was like ok no big deal Facebook allows redirection to the site that are not in their malicious list (Linkshim). But I thought to test it for open redirection. I replaced Instagram URL with evil.com and it redirected successfully.

I was confused with the behavior so I decided to report it to Facebook. What could go wrong? They will say that the report is invalid.

So I reported it to Facebook. And <1 min the team reviewed it and said invalid and this end point is designed for redirection purposes and is protected with the Linkshim System. And they told me that the report will only be valid if I was able to redirect a website that is blocked by Linkshim System and one of the blocked websites is https://test.facebook-whitehat.com that is designed for the same testing purpose. So I tried https://l.facebook.com/l.php?u=https://test.facebook-whitehat.com and I was successful again. I told them and they said they are not able to reproduce it and asked for a POC video and I provided the same. Then I realized that I am using the Brave browser. And they also replied the same that there is no problem from there side it is a client side issue. I immediately understood that this issue is due to the browser not from Facebook.

Now it’s time to test the browser. So I install proxy on the Brave Browser and launched Burp Suite and again requested https://l.facebook.com/l.php?u=https://test.facebook-whitehat.com and I noticed that the browser is directly requesting https://test.facebook-whitehat.com and not requesting l.facebook.com for validation. I reported this issue to the Brave browser and they accepted it within a day and they told me that this issue is due to a feature in the browser called URL Debouncing.

I have reported this issue on medium category but surprisingly the team updated the issue to high. I was very happy and at the same time curious why the issue was upgraded. I did some research and found out that due to this issue there was an open redirect on major sites like Facebook, Amazon, YouTube, Reddit and many more.

Takeaway — Always be aware and test whatever feels out of order

Any suggestion is highly appreciated.

If you are reading till here please do leave a clap. Thanks

Bounty — $500 and swag

Severity — High

Report — https://hackerone.com/reports/1579374

You can follow me on: —

Twitter- https://twitter.com/abhinavsecond

Instagram- https://www.instagram.com/abhinav06.sh/

LinkedIn- https://www.linkedin.com/in/abhinav-kumar-6946b3221/