A vulnerability has been discovered in connection to the RFC6749 Open Redirector Attack in the Facebook API v2.1. The RFC6749 Open Redirect Attack vulnerability allows remote attacker to convince an user to click on a trusted link which is specially crafted to take them to an arbitrary website, the target website could be used to serve for exmaple a malicious malware attack.
The RFC6749 open redirect vulnerability is located in the
The request method to exploit the vulnerability is GET and the attack vector is located on the client-side of the
framework web-application. The vulnerable code is located in the api v2.1 of the facebook framework. During the
exploitation the victim Facebook account retrieves a malicious malware link site.
The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2. Exploitation of the web vulnerability requires no privileged web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirect to malicious sources.
Request Method(s): [+] GET
Vulnerable Module(s): [+] /oauth/authorize
Vulnerable Parameter(s): [+] response_type [+] client_id [+] redirect_uri