Facebook API v2.1 hit by RFC6749 Open Redirect Attack Vulnerability

Facebook API v2.1 hit by RFC6749 Open Redirect Attack Vulnerability

The vulnerability laboratory core team researcher "SaifAllah benMassaoud" discovered a zero-day RFC6749 Open Redirector Attack in Facebook API v2.1. The RFC6749 Open Redirector Attack vulnerability allows remote attacker to prepare manipulated client-side application to browser requests which is specially crafted to take them to an arbitrary website, the target website could be used to serve a malware attack.

The RFC6749 Zero Day Open Redirector Attack vulnerability is located in the 'response_type' 'client_id' 'redirect_uri'  parameters GET method request.  During the exploitation the victim Facebook account retrieves the malware link site. The security risk of the RFC6749 Zero Day Open Redirector Attack vulnerability is estimated as medium.  Exploitation of the vulnerability requires a medium privileged web-application user account . Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious 

Proof of Concept (PoC)

When we specify an "invalid" scope then the authorized url redirects to the site mentioned in "redirect_uri". So, an attacker can create an app to use it as open redirector that to redirects victims to an internal fake sites. Attackers are as well able to host phishing pages and to target facebook accounts.

Manual steps to reproduce the vulnerability ...
1. I am registering a new client
2. I register redirect uri attacker.com
3. Now, visit the following url ...
PoC: oauth/authorize?response_type=code&client_id=1621835668046481& amp;redirect_uri=http://www.attacker.com/&scope=WRONG_SCOPE
4. This will finall redirect to the attacker.com  source
5. Successful reproduce of the security vulnerability in the facebook api and framework!

Advisory: https://www.vulnerability-lab.com/get_content.php?id=1972