Facebook Redirect Link – New Bypass Method – “:/” after the domain name

Facebook is using “facebook.com/l.php?u=THE_External_URL” whenever you click on an external link; and as a result:
1- Your current page won’t be sent via the “Referer” section of the HTTP header. So, it is useful for the privacy.
2- It is possible to stop malicious or unwanted links by using a single point (“l.php” page).

Now, I want to show a flaw in this process in which by clicking on an external URL in Facebook, users can go directly to the destination URL without passing the “facebook.com/l.php” page:

Add a “:/” at the end of the domain name! That’s it!
PoC:
Put these links in a comment section on your Facebook page and click on them too see the result (If you know how to work with local proxy tools such as burp suite, you can directly post a link on your wall [not just in comment section] with “:/” in the URL to exploit this flaw):
     - https://fp.auburn.edu:/oit/show_server_variables.asp
     - http://soroush.secproject.com:80:/

Now, do not click on the links which have “:/” after the domain name with or without port number! (18 Dec. 2010)

NOTE: This issue had been reported to Facebook at least twice more than 1 month ago without having any response.

About Soroush Dalili
Web application security pentester.

3 Responses to Facebook Redirect Link – New Bypass Method – “:/” after the domain name

  1. Aaron says:

    Hi,

    Maybe you can help me. I’ve directed / forwarded my url / domain to my facebook page. But before the redirect to the page, a prompt appears where you have to click “Go To Facebook” before you can access / land on the Facebook page. Is there a way to solve this? Thanks!

  2. เย็ด says:

    This issue had been reported to Facebook at least twice more than 1 month ago without having any response.