Switch to desktop

Facebook vulnerability : UnValidated URL redirection


The vulnerability "Unvalidated Url Redirection" exists on facebook.

What does this vulnerability mean?

When a person posts a link on facebook and someone clicks on the link. He is redirected to that link ;which opens in another tab/window; due to Unvalidated URL redirection vulnerability, if some changes are made to the redirecting URL, Facebook would not
check weather the URL is legitimate or not and would still redirect you to the changed redirecting URL.



I post a link on my wall that says:

" Visit us " and then there is the hgunified.com link. Now when i click on the link the following url appears first
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.hgunified.com%2F&h=random string.

(to get this link click on any ink posted on fb by anyone for any site and press the cross button(cross button that is next to the refresh button) of your browser before the site loads. You will be able to see it in your URL bar. You may have to try 2-3 times to get this url. First observe that the long url changes to a short one.)

which is then changed to


Now lets break up this URL.

part1=http://www.facebook.com - Says that its on/from facebook.

part2=l.php?u=http%3A%2F%2Fwww.hgunified.com%2F - access a file l.php for redirection to http://www.hgunified.com

part3=&h=random string - is a token generated by Facebook, based in different values, to decide if the external link is trustworthy or not. The token is a 9-digit string within the range. (for some banned site this technique wont work bt you can always use the google url shortener technique for the banned sites.)

Now If we change part 2 to l.php?u=http://google.com and add part 1,2 and 3.

we get
http://www.facebook.com/l.php?u=http://google.com&h=random string.
guess what?
You are redirected to google similarly you can redirect the person to any other URL.
Now How to protect yourself from attackers using this to redirect you to phishing pages.

Simple, do not judge the link just by the beginning of the link try to interpret the entire link before clicking.


Copyright by HGunified 2017. All rights reserved.

Top Desktop version