Open URL Redirection Vulnerability Discovered In Facebook

Security researcher Dan Melamed recently discovered a new vulnerability in Facebook. The open URL redirection vulnerability essentially allows a potential hacker to have redirected to any other URL of his choice.


In a post penned down on his site, Melamed has given a brief explanation of the flaw. This vulnerability could be used to trick a user into clicking on a Facebook link when in fact, that link could be redirecting to some other third-party website containing nefarious malware.

For instance, if you click on the URL given below, you are redirected to Facebook’s home page:

But if you replace the URL at the end with some other random string, a unique variable is generated and passed on to Facebook’s Linkshim. For instance, if you replace with, the URL parameter is passed on to Facebook’s Linkshim in the following form:

Now, to redirect a valid Facebook URL to a URL of your own liking, all you have to do is take out the ‘http://’ portion out of it. In the case of, if you enter it automatically takes the user to

All a hacker needs to do is craft a URL like that and then trick a Facebook user into clicking it. Facebook cites that it is able to ban such automatic redirection using Facebook URLs because it uses I.php method. But like Melamed says, “Not all malware/spam can be caught by facebook, and by the time a link is banned, an attacker would have already moved on to another link.”

The proof-of-concept video of the exploit is posted above. Melamed was lucky that Facebook responded timely to his report and approved it as a valid exploit, paying him $1000 as a reward.

Source: Dan Melamed

Courtesy: The Hacker News

[ttjad keyword=”cloud-storage-drive”]


Salman Latif is a software engineer with a specific interest in social media, big data and real-world solutions using the two.Other than that, he is a bit of a gypsy. He also writes in his own blog. You can find him on Google+ and Twitter .

Leave a Reply