This vulnerability redirects victim by using a Facebook URL to any of the url you want (could be some phishing) ;)
Its absolutely working as i myself tried it just now 3:)
From their security page:
To avoid being an open redirector, we generate a hash for each link shim url that’s user specific. Then, when the person loads the interstitial link shim page, we check that the hash is valid for her. If it is, we allow her to access the site requested – but if not, we show a warning page like this:
Lets make a scenario:
A victim who is friend with attacker posts a video on his wall.
Attacker investigates http parameters after clicking the victim’s Youtube video.
url : http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DSvWjWEyTLkg&h=3AQGbk0Cf&s=1
We don’t need s parameter, for attacker most important part of the url is the h parameter.
h=3AQGbk0Cf
h=3AQGbk0Cf
The attacker can modify the url and send it back to the victim as a phishing attack that now redirect to a malicious website.
new url : http://www.facebook.com/l.php?u=3grox.nu&h=3AQGbk0Cf
new url with hex encoding : http://www.facebook.com/l.php?u=%63%61%6e%73%69%6e%79%69%6c%64%69%72%69%6d%2e%63%6f%6d&h=3AQGbk0Cf
new url with hex encoding : http://www.facebook.com/l.php?u=%63%61%6e%73%69%6e%79%69%6c%64%69%72%69%6d%2e%63%6f%6d&h=3AQGbk0Cf
The attacker sends malicious url to the victim.
Victim only sees a Facebook url, after clicking on the link, Facebook redirects the victim to a page specified by the attacker.
and JACKPOT
The user has been redirected to a malicious website.
In this case, my website is used as an example.
Here is the PoC video: http://vimeo.com/70087250
The attack is not working if the user and the attacker are not friends.