Security Vulnerability Found in Facebook and Google – A Spammer’s Paradise
Written by Sue Walsh on January 18, 2012
An open redirect vulnerability has been found on both Facebook and Google. This could easily be used to redirect users to a phishing page or a malicious domain. In a phishing attack, users wouldn’t even realize they’d been redirect, they’d just think their log in didn’t work the first time. This could potentially give scammers access to thousands of Facebook and Google accounts, and since many people have Gmail accounts linked to their Google accounts, access to those as well. A spammer’s paradise. Here’s a look at how it works:
The Google vulnerability is located at the follwing URL:
https://accounts.google.com/o/oauth2/auth?redirect_uri=<malicious redirect>
If I’m not mistaken, I believe that this is actually a flaw inside of the Google API for 3rd party applications, because it is contained under the oauth directory. Oauth is what is used to make a secure link to an online account via a web API without the user compromising their password to an untrusted application.
The Facebook vulnerability is located at the following URL:
http://www.facebook.com/l.php?h=5AQH8ROsPAQEOTSTw7sgoW1LhviRUBr6iFCcj4C8YmUcC8A&u=<malicious redirect>
In order to test both of these vulnerabilities, I recommend using the Facebook phishing tutorial found at Null Byte. However, when our web page is done, the link to our URL should be appended after the equal sign where it says “malicious redirect”. After you have crafted your URL, click it and see if you go through to your phishing page. If you did, pat yourself on the back and go mess with some of your friends.
What’s truly outrageous about this is that when notified about this, both Facebook and Google ignored the issue completely. Now as far as Facebook is concerned, this doesn’t surprise me. Anyone who has ever had a problem with the site and needed to contact them knows it’s next to impossible. Unlike most sites, they have no customer service or tech support email or phone number, no online chat or webform – nothing! Instead they offer a help center which really isn’t all that helpful, and a ‘Known Issues’ page where any and all user posts are ignored. So yeah, I can see how Facebook could ignore this. I am surprised Google is though. They’ve always seemed more user friendly to me.
Loading ...
I can’t help but feel that Google has too many eggs in the SOPA basket to worry about security right now. Maybe it’s not true, but it’s certainly the impression I’m getting. Either way, both of these exploits are frightening, and what’s worse, simple. The fact that it’s so easy to use that you can explain it sufficiently in a short article raises huge alarm bells. Something needs to be done about this.
There are several ways to detect open redirect vulnerability attacks but almost all of them are too technical. They require you to have some computer programming (PHP, Java, Ruby Rails, Python, and MySQL) and HTML skills.
For ordinary web users, there’s a sure, easy, and practical way to detect if you’ve been redirected to a harmful website. Try to install browser security apps. For Firefox, I recommend using Alexa. Although this web app does not directly tell you that you’ve visited a malicious website, it can tell you the site’s Traffic Rank. For instance, PayPal.com has a traffic rank of 33. If you intend to visit PayPal and Alexa tells you that it has a rank of 300,000, get out of that website immediately.