How I discovered a 1000$ open redirect in Facebook

I am not really used to write about vulnerabilities I have discovered but this time is worth it since it is a bit exceptional for me as it is about a security issue found on Facebook.

As you have read in the title, Facebook is vulnerable to open redirect because some parameters do not fully validate the input allowing any attacker to redirect the victim to a malicious page. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.

Vulnerable endpoints:

Facebook has, indeed, implemented some protection against open redirection since I was not able to perform the attack using some common techniques like you the ones below :

None of the above bypass techniques worked! I was about to give up then I noticed in my twitter updates feed some Facebook shortned links (redirects to that are automatically generated if you link your facebook account with twitter. I quickly got back to my pentest work and tried to bypass the protection using the shortned link.Thanks god! The open redirection worked perfectly.

After reporting it to facebook on 13/12/2014 it was fixed on 17/12/2014 and Facebook rewarded me with a 500$ bounty.

Proof Of Concept 1: (You would be redirected to

I went to back to check if somehow I could bypass again the protection. So, I took a deep look at the domain and I found some subdomains like for facebook pages and I tried to guess other valid subdomains. Result, I found this valid subdomain which worked perfectly allowing me to bypass the protection.

Proof Of Concept 2:

I quickly escalated the bug to Facebook security team on 22/12/2014 and they fixed on 24/12/2014 but they decided not to reward it because it similar to the original one.

I was not happy with their decision, so I managed to find a way to bypass the protection again this way they may reconsider rising the bounty for my continuous efforts.

I tried again some new tricks but all failed then, unintentionally, I added the WWW to the shortned facebook link and the open redirect worked just fine. With other words, I bypassed Facebook previous fix once again.

Proof Of Concept 3 :

I followed-up with the security engineer who escalated the bug on 24/12/2014 and it got fixed on 30/12/2014 and, luckily, Facebook decided to reward 500$ for it.

Written on December 30, 2014