Hi everyone, about last 2 days ago I found a bug on Facebook and it was Open Redirect URL.
Proof Of Concept
Note: Victim browser must not login Facebook account.
My steps:
1. Create short URL with tinyurl.com
2. Enter “https://evilzone.org/" to create short URL
3. We will get “https://tinyurl.com/ohldg3u"
4. Copy this short URL to create short URL again with www.shorturl.at
5. Enter “https://tinyurl.com/ohldg3u" to create short URL
6. In this case I got “shorturl.at/vCK28” ()
7. Use facebook function to create vulnerability URL “https://l.facebook.com/l.php?u=https%3A%2F%2Fshorturl.at%2FvCK28" and enter
8. Right click at the “Follow Link” button and copy the URL location
9. Send the vulnerability URL to victim and wait until victim open it
Let send the report to Facebook.
I sent the report to Facebook and this is what I got.
They said it hard to mitigate!? OK, Maybe they didn’t fix it in the right way… Then I sent the solution to tell them it was easy to fix. And this what I got.
Then I ask him again why this is not bug bounty and this is his answer
They said it is not a security vulnerability, althouht OWASP said it was!? How weird is it?
For the people who want to bypass with this technique just forget it, because it waste your time.
Founder
Kusol Watchara-apanukorn (me)
Narin Boonwassanarak