Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Facebook URL Redirect Vulnerability
From: Nathan Power <np () securitypentest com>
Date: Wed, 2 Mar 2011 10:45:51 -0500

This rule can be subverted because of the content keyword.

Below is an example:

Add two content keywords 'track.php?' and 'r='

Nathan Power

On Mon, Feb 28, 2011 at 3:35 PM, Weir, Jason <jason.weir () nhrs org> wrote:

 Here's a snort rule that will detect this

alert tcp $HOME_NET any -> [,,]
$HTTP_PORTS (msg:"Facebook URL Redirect Vulnerability";
flow:established,to_server; content:"GET"; nocase; http_method;
content:"track.php?r="; nocase; http_uri; reference:
sid:xxxxxxx; rev:1;)


 -----Original Message-----
*From:* full-disclosure-bounces () lists grok org uk [mailto:
full-disclosure-bounces () lists grok org uk] *On Behalf Of *Nathan Power
*Sent:* Monday, February 28, 2011 12:43 PM
*To:* Full Disclosure
*Subject:* [Full-disclosure] Facebook URL Redirect Vulnerability

1. Summary:

Once the victim clicks on a specially crafted Facebook URL they can be
redirected to a malicious website.
2. Description:

Facebook applications use of 'track.php?r=' doesn't sanitize the
redirection input properly.  This allows an attacker to input any URL that a
victim will get redirected too.  It is not required for the victim to be
login to Facebook for this attack to work.

The following is an example of a vulnerable URL:


The following Google search query can be used to find vulnerable URLs:
site:facebook.com inurl:"track.php?" inurl:"r="
3. Impact:

Potentially allow an attacker to compromise a victim’s Facebook account
and/or computer system.
4. Affected Products:

5. Solution:  None
6. Time Table:

2/27/2011 Reported Vulnerability to the Vendor
7. Credits:

Discovered by Nathan Power


Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]