Open-Redirect Vulnerability in Instagram’s Mobile Application
In this blog, I’ll be discussing an Open-Redirect vulnerability that I found out a few days ago in Instagram’s Android Application.
First we’ll look at what an Open-Redirect vulnerability is and what threats/risks it poses, and then I’ll dive into the details of the actual issue itself.
What is URL Redirection?
URL Redirection, or URL Forwarding or just Redirection, is a feature of applications to direct users to different pages or subdomains of the same or sometimes an external application. URL Redirections help in easy navigation of the app and its resources.
When an application redirects a user to a fixed URL, or safely constructs the redirection URL according to the user’s desires, it’s a Safe Redirect; but when the application constructs a redirection URL based on the user’s needs but fails to validate or filter the user input, or the redirection is controlled by the user themselves, then it is an Unsafe or Open Redirect in the latter case.
Let’s take an example of a web application (foo.com) that maintains its resources on an external site (bar.com). The home page of foo.com features a resources button that points to a link foo.com/resources but on the backend there’s a redirect to bar.com, so when a user clicks on the resources button, he goes to foo.com/resources and then gets redirected to bar.com
A typical example of an open-redirect vulnerability in PHP code would be:
$redirect = $_GET['url'];
header("Location: ". $redirect);
And the request generated as a result of this code would be:
Impact of Open-Redirects
Although a low severity issue, mainly Open-Redirect vulnerabilities are used to send victims to an attacker-controlled application, where they may be phished/social-engineered for PII, credentials etc. but when chained with other vulnerabilities Open-Redirects can have a higher impact.
Examples of Open-Redirects chained with other vulnerabilities include an XSS attack, stealing the OAUTH token etc.
Details of these attacks and a few others can be found on Detectify’s blog on The Real Impact of Open Redirect Vulnerability.
Open-Redirect in Instagram Mobile Application
So moving towards this particular issue, I was going through Instagram stories, when I saw an ad which had a swipe-up link in it. I swiped-up on the story and the link opened up in the in-app browser, so I tapped the three-dots menu and tapped on Open in Chrome, and I noticed the URL generated was like https://l.instagram.com/?u=<url_to_be_redirected_to>&e=<user_specific_hash_which_expires_over_time> before I got redirected to the actual website itself.
So, I copied this URL and tried to manipulate this ‘u’ parameter and I tried various arbitrary domains and I got redirected to them. I got excited and set out to report this vulnerability, but as I was writing my report I got a prompt from Facebook saying for a successful Open Redirect, I would have to redirect myself to https://evilzone.org, as Facebook verifies for malicious domains before redirection, and when I tried this domain, I got an error of this being a malicious domain.
Basically Facebook uses a Link Shim technology to check for malicious domains against a list which it maintains internally along with lists from some external partners like Google, McAfee, Web of Trust etc. and if the redirection URL is found to be malicious, a page will be displayed (like the one in the screenshot above) warning the user of the malicious link.
Read more about Link Shim here.
Link Shim Bypass
So, I thought of bypassing this Link Shim protection and the first thing that came into my mind was URL shortening. I went to TinyURL and created a shortened link for https://evilzone.org and then tried again.
And I was successfully able to bypass Link Shim protection and got redirected to https://evilzone.org.
I modified my report, included this bypass and sent it to Facebook, but I got a reply that fixing this was beyond their control, which makes sense, in my opinion, according to their reply. But nevertheless, it was a good learning experience.