Flaw in Facebook & Google Allows Phishing, Spam & More
Here's a nasty little Null Byte. An open redirect vulnerability was found in both Facebook and Google that could allow hackers to steal user credentials via phishing. This also potentially allows redirects to malicious sites that exploit other vulnerabilities in your OS or browser. This could even get your computer flooded with spam, and these holes have been known about for over a month.
Normally, holes like this are fixed within a few hours, but Google and Facebook don't seem to care too much. Google does not offer their regular Vulnerability Reward for this kind of exploit. So, we will be going over how this exploit could be used against us and how to protect ourselves from it. Maybe this will encourage Google and Facebook to push their developers into fixing these holes as soon as possible. I wish it wouldn't take a few thousand user complaints to get them motivated.
An open redirect vulnerability exists when a web script allows a redirect to an external site without filtering it to make sure it is from the correct domain. This would allow us to craft malicious URLs to send users, or even make phishing pages. The user would simply think that they had to log in twice. It could also be used to redirect victims to malicious web sites that exploit browser 0days, which are undiscovered vulnerabilities, only known to the hacker.
- Facebook or Google access
- A phishing page, or whatever you choose to use to test the exploit
Let's go over the locations of these vulnerabilities on both websites.
The Google vulnerability is located at the follwing URL:
If I'm not mistaken, I believe that this is actually a flaw inside of the Google API for 3rd party applications, because it is contained under the oauth directory. Oauth is what is used to make a secure link to an online account via a web API without the user compromising their password to an untrusted application.
The Facebook vulnerability is located at the following URL:
In order to test both of these vulnerabilities, I recommend using the Facebook phishing tutorial found at Null Byte. However, when our web page is done, the link to our URL should be appended after the equal sign where it says "malicious redirect". After you have crafted your URL, click it and see if you go through to your phishing page. If you did, pat yourself on the back and go mess with some of your friends.
Thankfully, this isn't that hard. Always look at the URL in your address bar after clicking a link to see if you've been taken to another site. Never enter your Google or Facebook password (or any other password for that matter) on any webpage if the URL in the address bar is not from the site you expect.
You could also "whitelist" trusted domains on your computer, which would only allow you to visit the sites you specify, which is a very safe, but tedious practice.
Want more Null Byte?