Tag Archives: facebook url redirect flaw

Facebook Redirect Link – New Bypass Method – “:/” after the domain name

Facebook is using “facebook.com/l.php?u=THE_External_URL” whenever you click on an external link; and as a result:
1- Your current page won’t be sent via the “Referer” section of the HTTP header. So, it is useful for the privacy.
2- It is possible to stop malicious or unwanted links by using a single point (“l.php” page).

Now, I want to show a flaw in this process in which by clicking on an external URL in Facebook, users can go directly to the destination URL without passing the “facebook.com/l.php” page:

Add a “:/” at the end of the domain name! That’s it!
Put these links in a comment section on your Facebook page and click on them too see the result (If you know how to work with local proxy tools such as burp suite, you can directly post a link on your wall [not just in comment section] with “:/” in the URL to exploit this flaw):
     – https://fp.auburn.edu:/oit/show_server_variables.asp
     – http://soroush.secproject.com:80:/

Now, do not click on the links which have “:/” after the domain name with or without port number! (18 Dec. 2010)

NOTE: This issue had been reported to Facebook at least twice more than 1 month ago without having any response.