Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[ISecAuditors Security Advisories] Facebook social network vulnerable to Open Redirect

From: ISecAuditors Security Advisories <advisories () isecauditors com>
Date: Fri, 22 Jul 2011 11:08:15 +0200
=============================================
INTERNET SECURITY AUDITORS ALERT 2011-001
- Original release date: 18th July 2011
- Last revised: 22nd July 2011
- Discovered by: Vicente Aguilera Diaz
- Severity: 6.8/10 (CVSSv2 Base Scored)
=============================================

I. VULNERABILITY
-------------------------
Facebook social network vulnerable to Open Redirect.

II. BACKGROUND
-------------------------
Facebook is a social networking service and website (www.facebook.com)
launched in February 2004, operated and privately owned by Facebook,
Inc. As of July 2011, Facebook has more than 750 million active users.

III. DESCRIPTION
-------------------------
An open redirect is a vulnerability that takes a parameter and
redirects a user to the parameter value without any validation. This
vulnerability is used in phishing attacks to get users to visit
malicious sites without realizing it.

The vulnerability is exploitable only between users who are friends.

IV. PROOF OF CONCEPT
-------------------------
The malicious URL as the next structure:
http://www.facebook.com/l.php?u=<external website>&h=<security token>

where:
<external website>: is the malicious site controlled by the attacker.
For example, can be used to download malware, request private
information to the user, etc.
<security token>: is a token generated by Facebook, based in different
values, to decide if the external link is trustworthy or not. The
token is a 9-digit string within the range [A-Z|a-z|0-9].

So, the attacker only need to know the <security token>.

On the other hand, the malicious URL is valid only if:
- the victim user is authenticated, or
- the victim user has made logout but he has not closed the browser

--- How to obtain the <security token>
The attacker access to Facebook and make a link (for example:
http://www.isecauditors.com) in her wall, and access to the mobile
facebook (m.facebook.com) to view the link. The URL has the next link:
http://m.facebook.com/l.php?u=http://www.isecauditors.com&h=DAQCCeLYW&refid=28


From the previous link, the attacker obtain the <security token> in

the "h" parameter value. In this case: "DAQCCeLYW".

--- How to exploit the malicious URL
The attacker have multiples choices to make that another user can use
the malicious URL:
- leave a message in her wall with the malicious URL and share the
message with her friends
- send a private message to a friend with the malicious URL
- share the malicious URL in the wall of a friend
- share the malicious URL in a group of friends
- etc.

Obviously, a malicious user will obfuscate the redirection. For
example, the attacker can use a shorten url service (http://goo.gl,
http://bitly.com, http://tiny.cc, etc.), use complex encoding
techniques, add unnecessary parameters, etc.

For example, the next request can be sent in a private message to a
friend and causes the friend to download a PDF file from the Internet
Security Auditors website:
http://www.facebook.com/l.php?app=1572&u=tiny%2ecc/owhvr&h=DAQCCeLYW

On the other hand, exist another vulnerability in Facebook that
facilitate the exploitation of this vulnerability. An user can leave a
message on her wall with a link, and this link can access to another
website different that the website that appears in the link.

This vulnerability can be exploited in three steps:

Step 1) The user create a status message with a URL. For example:
http://www.facebook.com
and leave a blank space after the last letter

Step 2) The Facebook application recognize the URL and make the link.
For example:
http://www.facebook.com

Step 3) The user delete the URL from the status message, and put
another malicious URL. The Facebook application not update the
previous link.

So, this vulnerability can be abused to facilitate the Open Redirect.
For example, an user can leave a message on her wall or on her public
profile, and shared this message with other friends or with everyone.
The process will be:

Step 1) The user create a status message with a URL. For example:
http://www.facebook.com
and leave a blank space after the last letter

Step 2) The Facebook application recognize the URL and make the link.
For example:
http://www.facebook.com

Step 3) The user delete the previous blank space, and add the resource
and the querystring:
http://www.facebook.com/l.php?app=1572&u=tiny%2ecc/owhvr&h=DAQCCeLYW

Step 4) The user shared this message with everyone.

Another possibility to inject the URL avoiding Facebook to decode the
malicious site: leave a message on her wall with a text previously to
the link. For example:

"Download the better application from Facebook:
http://www.facebook.com/l.php?app_id=1572&u=tiny%2ecc/owhvr&h=DAQCCeLYW";

V. BUSINESS IMPACT
------------------------
This vulnerability allows phishing attacks.

VI. SYSTEMS AFFECTED
-------------------------
The vulnerability affect the Facebook social network:
- www.facebook.com (primary Facebook website)
- m.facebook.com (Facebook mobile)
- touch.facebook.com (Facebook mobile)

VII. SOLUTION
-------------------------
-

VIII. REFERENCES
-------------------------
http://www.facebook.com
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered by
Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
July    18, 2011: Initial release.
July    19, 2011: Proof of concept updated with more details.

XI. DISCLOSURE TIMELINE
-------------------------
July    17, 2011: The vulnerability is discovered.
July    18, 2011: Facebook is notified of this vulnerability.
July    18, 2011: Facebook answers the vulnerability is not
                  exploitable.
July    19, 2011: Internet Security Auditors contact Facebook
                  and provide more details about how to exploit
                  the vulnerability.
July    21, 2011: Facebook answers the intentional functionality
                  provided by the "l.php" endpoint is required,
                  and Facebook believe the security benefits
                  generated by this functionality outweigh
                  the perceived risks.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security, penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as finance, telecommunications, insurance,
ITC, etc. We are vendor independent provider with a deep expertise
since 2001. Our efforts in R&D include vulnerability research, open
security project collaboration and whitepapers, presentations and
security events participation and promotion. For further information
regarding our security services, contact us.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: