Open redirects are not dead! Or are they?

Home > Blog > Meta

CWE-601 - A Facebook Example

Summary

Over the last few years doing bug bounties, it's becoming more and more common for companies to reject reports about Open Redirects. Once upon a time we could turn an open redirect to XSS by using the javascript scheme but since modern browsers up'd their security, this no longer applies. The best attack vector these days would most likely fall under Social Engineering. Again, 9 times out of 10, this vector would likely be out of scope.

So the question is, does anyone still care about Open Redirects? Then answer is - probably not.

Here are two examples that were reported to Facebook over the last couple of years. Both reported and fixed but only one was eligible for a bounty.

Example 1 - Login flow - internalfb.com

The first was reported back in September 2020. The vulnerability worked as follows:

  1. Visit: https://www.internalfb.com/intern/login/?next=.ash-king.co.uk
  2. Enter a valid email address in the login form
  3. Click the Next button
  4. You will be redirected to `https://www.internalfb.com.ash-king.co.uk/` - a domain not controlled by Facebook

Overall the triage process was pretty straight forward. Accepted and moved to the product team 3 days later. The issue was then resolved within the month.

Facebook awarded a $500 bounty with a response of:

After reviewing this issue, we have decided to award you a bounty of $500. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd and HackerOne.

It's possible to redirect users from our Intern login page to any site including evilzone.org (site blacklisted by linkshim)

Facebook acknowledged this was a security issue!

Example 2 - 2FA flow - facebook.com

The second example was reported back in December 2021. The vulnerability worked as follows:

  1. Log into Facebook with UserA
  2. Visit https://www.facebook.com/security/twofactor/reauth/?twofac_next=https%3A%2F%2Ftest.facebook-whitehat.com&type=avoid_bypass&app_id=0&save_device=0 as UserA
  3. Confirm your two factor authentication, in my case I used a Yubico usb key
  4. You will be redirected to test.facebook-whitehat.com - a blacklisted domain

You can see this action here:

Again, the triage process was pretty straight forward. Accepted and moved to the product team 5 days later. The issue was then resolved within the month.

Then I receive the following response:

Hi Ash,
Thanks for writing in.
We have discussed the issue at length and concluded that, whilst you reported a valid issue which the team may make changes based on, unfortunately your report falls below the bar for a monetary reward.
This is because even if linkshim is not applied here, the fact that the user requires interactions makes it non-exploitable for having enough security impact to qualify for our bug bounty program. I wish you luck in your continued bug hunting.
Thanks,
[REDACTED]
Security

With that being said, it feels even the larger companies are no longer rewarding for these finds. For me, this tells me two things:

  1. Companies expect the end user to be clued up and keep track of the URLs they are on - lets not pretend that everyone understands what a web browser is, especially if an action on X site caused a redirect (auth)
  2. Companies rely on the web browser too much, what happens if chrome/firefox decide that javascript is no longer a unsafe redirect. All the Open Redirects are now XSS

Just to add to this, I recently received a private invite for a Hacker One Clear Program, the policy stated that open redirects are out of scope but the most frustrating part was that there was an open redirect on the login page! This was left unreported to save some reputation points but leaving the smallest vulnerabilities like this could have a huge knock on affect in the future if abused in mass.

I'd be interested to know anyone else's views / experience with Open redirects. Get in touch or leave a comment :)


Comments

about me

28 year old multistack developer & security researcher based in Gosport, UK. I like to blog about interesting vulnerabilities I come across, when allowed 🙄