Facebook hidden redirection vulnerability

Ege Ken
9 min readOct 24, 2018

--

Hi there,

The reports I sent to Facebook were not evaluated as a vulnerability, it’s up to you…

Ege Ken, Oct 16–2018

Related links about below image:

https://www.youtube.com/watch?v=pIFhpGr-CFE

Facebook, Oct 16–2018

Automatic response from Facebook

Ege Ken, Oct 16–2018

Related links about below image:

https://www.youtube.com/watch?v=nx5Tn2CxC3k

Facebook, Oct 16–2018

Related links about below image:

http://evilzone .org

http://evil.com

Ege Ken, Oct 17–2018

Related links about below image:

https://www.youtube.com/watch?v=5_6l1n1Sonk

Facebook, Oct 17–2018

Facebook, Oct 23–2018

Ege Ken, Oct 23–2018

Related links about below image:

https://www.youtube.com/watch?v=fgrU9MVb90Y

Facebook, Oct 24–2018

Text Format

Oct 16

Title

Hidden malicious url redirection (as secure)

Vuln Type

Other

Product Area

Facebook — Web

Description/Impact

Description
===
A malicious link can be placed on links that seem safe.

Impact
===
All users of Facebook can be affected this vulnerability.

For example when shared a link (using this vulnerability) in a popular group, many users who click on the link can be affected without even understanding what happened.

or when sent a song link (using this vulnerability) as private message to anybody, the user can be affected.

Thanks.

Repro Steps

Just watch this: https://www.youtube.com/watch?v=pIFhpGr-CFE

If you want interested, I can record a video about how was it done.

Thanks.

Oct 16

Hi,

Thank you for reporting a security issue! Your report number is 178930656318909. Please give us reasonable time to investigate and mitigate the issue before sharing information with others, and note that we reserve the right to publish your report. (More details: https://www.facebook.com/whitehat/) Note that if you’re writing to us in a language other than English, we’ll only able to respond in English at this time. We’re sorry for any inconvenience this causes.

If you’re trying to report another issue, please review the information below to get help.

- If your account or a friend’s account is sending out suspicious links: https://www.facebook.com/help/hacked
- To report abuse: https://www.facebook.com/help/reportlinks
- To report bugs that are not security issues: https://www.facebook.com/help/www/326603310765065
- For any other questions or concerns, please visit our Help Center: https://www.facebook.com/help

Thanks,
Facebook Security

Your reply

Oct 16

Like this: https://www.youtube.com/watch?v=nx5Tn2CxC3k

Oct 16

Hi Ege,

It looks like you may have submitted a common false positive. We generally exclude open redirects from our bug bounty program because we filter redirects through a system known as Linkshim. This mechanism allows us to dynamically detect and prevent spammy or malicious redirects. Based on a variety of heuristics we determine when to allow a redirect to be performed. In cases of spam or abuse we can block particular domains/URLs. So in the event of a real-world attack we would be able to take action to detect and prevent malicious behavior.

Feel free to test Linkshim against a URL belonging to a known malicious website, such as http://evilzone.org/ Please note that evil.com etc. despite the naming are not considered malicious.

Thanks,

Peter

Your reply

Oct 17

Hi again,

Watch new POC: https://www.youtube.com/watch?v=5_6l1n1Sonk

Actually, I want to tell you that Facebook url scrape system is wrong-missing.

Malicious links can be integrated into the appear to be quite secure attachments.

Please take the opinion of many teammates while reviewing this vulnerability.

I can explain to you how this vulnerability has been implemented and how it can be solve.

Thanks.

Oct 17

Hi Ege,

I reviewed the provided video where it appears that you were able to redirect to a blacklisted website. Please reply with reproduction instructions so we can verify this issue on our end (images and video would be helpful). Please include a proof of concept and more technical details about the vulnerability, the impact of this vulnerability and any suggested fixes for this vulnerability.

Thanks,

Peter

Your reply

Oct 21

Hi Facebook Security Team, sorry for delay.

Firstly,

There are some terms (like variables in programming because I used these phrase below) I would like to explain in my report:

1. Direct-Redirection: Redirecting a url directly to another url.

example in PHP: <?php header(‘Location: http://facebook.com/');

— -

2. Url-Attachment: Creating attachments when entering a url when sharing a post or writing a message.

Url-Attachment examples added as attachment on this report.
what-is.png

— -

3. Entered-Url: Url-Attachment consists of when “Entered-Url” is entered in some specific textboxes (sharing post, messaging) on Facebook.

Entered-Url examples added as attachment on this report.
what-is.png

— -

4. Integrated-Url: Integrated (a href) into Url-Attachment, so to be FIRST opened address on browser when click the Url-Attachment.

and URL of Integrated-Url === URL of Entered-Url, so these are same URLs,

BUT: Entered-Url is a text so that can be deleted, Integrated-Url is “a href” attribute value of the Url-Attachment.

— -

5. Redirected-Address: If there are Direct-Redirection, the LAST address to be reached when click the Url-Attachment (has Integrated-Url).

so, when clicked the Url-Attachment:

Integrated-Url → Redirected-Address

— — — — — — — -

I want to emphasize again, the vulnerability is to be able to integrate DIFFERENT links into url-attachments that seem safe. This DIFFERENT links can be a malicious link like evilzone.org

Quick-solution: The redirection should be done to the url seen in the url-attachment not DIFFERENT url.

This is not just an open-redirect vulnerability.

In a popular group or page, or in a messaging: consider what can be done using this vulnerability.

I’m showing you how to apply it in these videos.

https://www.youtube.com/watch?v=U9rR4DSueTA
https://www.youtube.com/watch?v=Mj49gQG7B4c

Also, appearing entered-url (as text) with url-attachments in videos above but if the entered-url (as text) is deleted, the user (victim) will just have to click the url-attachment and the danger ratio of the vulnerability will increase further.

like this: https://www.youtube.com/watch?v=pUkfjOUJuTI

so TERRIBLE

— -

By the way, after my security report: you’re taking preventions for posts created used this vulnerability anymore.

Before my security report: These posts created used this vulnerability keep in publish for days (no spam and deleted).

After the report: Spam and deleted. BUT…

There’s something forgotten.

The vulnerability can still be easily implementing in messaging.

like my last video: https://www.youtube.com/watch?v=pUkfjOUJuTI

— — — — — — — -

SOLUTION:

Q: What’s causing the vulnerability?
A: Facebook create url-attachments with wrong-missing system for direct-redirections.

I have two solutions for links has direct-redirection.

— — — — — — —
First Solution:
— — — — — — —

The data (image, title, description, URL like open-graph) of the address (can be malicious) to which the entered-url is directed should not be appear in the url-attachment.

The url of entered-link appear in url-attachment (so, not redirected link (can be malicious) data like current system) or a url-attachment should not be created.

Explain:

After entered-url is scraped, if direct-redirection is detected (detection process: can be done by comparing entered-url and url of last address reached after scrape, if comparison result is not equivalent, it means direct-redirection detected): the url-attachment to be created may only contain the URL of the entered-url (just URL because: there is direct-redirection, it is not possible to reach any data (image, title, description, URL like open-graph) of entered-url) — or — a url-attachment may not be created.

In this case,

Is not possible integrate a DIFFERENT url (can be malicious) to a url-attachment that seem safe.

Integrated-URL (a href) into url-attachment user will click and redirect URL after click will be the EQUIVALENT not DIFFERENT — or — a url-attachment not created, the URL to be clicked will be just text and the user will be redirected to the URL clicked.

— — — — — — — — -
Second Solution:
— — — — — — — — -

As in current operation: the url-attachment may contain redirected-address data (image, title, description, URL like open-graph), not data of entered-link BUT if removed or changed the current direct-redirection address in the entered-link, these changes should be updated on the url-attachment immediately for this, all url-attachments contain URLs has direct-redirection and data (image, title, description, URL like open-graph) of redirected-address over Facebook in past and future: need to be continuous checked with a typical redirection-change-control system.

In this case,

Everytime, integrated-URL (a href) into the url-attachment and data (image, title, description, URL like open-graph) of redirected-address on url-attachment will be equivalent through redirection-change-control system, thus the URL that the user sees (so data (image, title, description, URL like open-graph) of redirected-address) and clicks (integrated-URL, so a href) will be exactly the EQUIVALENT not DIFFERENT.

— — — — -

CONCLUSION:

First solution is quite ideal, because using redirection-change-control system will be much more risky and costly that will be needed for the second solution.

— -

Finally,

Q: How can I redirect to a link on Facebook’s blacklist (like evilzone.org) over Facebook ?

A: Using the vulnerability, I define redirected-address as an address in the blacklist on my host.

https://www.youtube.com/watch?v=pUkfjOUJuTI

After fix the vulnerability, you’re blocked redirection to links in the blacklist.

Thanks.

Your reply

Oct 21

what-is.png is here:

Attachments

what-is.png

Your reply

Oct 21

And watch last POC: https://www.youtube.com/watch?v=fgrU9MVb90Y

Your reply

Oct 21

Your reply

Oct 21

This message for my empty message sorry, you should check my past messages.

Yesterday

Hi Ege,

Thank you for your report. We are aware of such hiding tools. However, it is a difficult issue to comprehensively mitigate. If a user owns a site containing an open redirect, they can simply link to their own site, which would then redirect to a blacklisted site from there. The reason why you are seeing your recent PoC URLs getting blocked is the Linkshim mechanism dynamically detecting and preventing malicious redirects originating from your website.

Facebook does provide what we feel is a reasonable level of checking for this type of behavior. We will continue to monitor for this and may make additional changes here in the future if it becomes necessary.

Thanks,

Peter

Your reply

Yesterday

Don’t forget,

Still, different URLs can be integrate into url-attachments that seem safe.

https://www.youtube.com/watch?v=fgrU9MVb90Y

I told you how to avoid it in my loong report message if you haven’t seen, the rest is up to you.

Thanks.

Today

Hi Ege,

Thanks for the follow up. Due to the reasons outlined in our previous response we don’t believe that what you describe poses significant security risk and is not considered an issue qualifying under our bug bounty program. However feel free to provide feedback or suggestions regarding a feature here:

https://www.facebook.com/help/contact/268228883256323

Thanks,

Peter

End.

--

--