Skip to main content

Facebook URL Redirection Vulnerability 2013

This vulnerability redirects victim by using a Facebook URL to any of the url you want (could be some phishing) ;)
Its absolutely working as i myself tried it just now 3:)
Facebook uses hash to avoid url redirection and hash is per account.

From their security page:
To avoid being an open redirector, we generate a hash for each link shim url that’s user specific. Then, when the person loads the interstitial link shim page, we check that the hash is valid for her. If it is, we allow her to access the site requested – but if not, we show a warning page like this:
Lets make a scenario:
A victim who is friend with attacker posts a video on his wall.
Attacker investigates http parameters after clicking the victim’s Youtube video.
url :
We don’t need s parameter, for attacker most important part of the url is the h parameter.
The attacker can modify the url and send it back to the victim as a phishing attack that now redirect to a malicious website.
new url :
new url with hex encoding :
The attacker sends malicious url to the victim.
Victim only sees a Facebook url, after clicking on the link, Facebook redirects the victim to a page specified by the attacker.
The user has been redirected to a malicious website.
In this case, my website is used as an example.
Here is the PoC video:
The attack is not working if the user and the attacker are not friends.