Fortinet Blog | News and Threat Research

The Koobface worm scouring Facebook since last July, and which made the headlines again this week, is certainly beginning to redesign the concept of “friend. ” The “acquaintance from high school you’ve never talked to since you added her/him” might now be the “acquaintance from high school you’ve never talked to since you added her/him and who occasionally sends links to sites loaded with viruses.”

While Koobface has redefined this friendship concept, it’s not the only thing: It’s redefined the URL redirection policy of Facebook.

Indeed, URLs used to be left “as is” in friends’ private messages – assuming that they did not lead to a malicious site, of course. This is the very reason why Koobface “first-click URLs” are a mere hop through a reputable site (Google Reader, Google Picasa…), which in turns redirect unfortunate users to the final, malicious site (Facebook is not going to blacklist Google, right?).

Now and then, URLs included in messages are being automatically wrapped up by Facebook, in the following fashion:

URL: http://www.example.com Wrapped URL: http://www.facebook.com/l.php?u=http://www.example.com

The latter is called a “web redirector.” Upon clicking on the wrapped URL, users are “going through” Facebook before reaching the final destination (here, www.example.com). What is really the point in force-wrapping URLs in redirectors? Simple: Friends’ messages are not only sent to the recipient Facebook account within the site, but are also e-mailed to the recipient external mailbox (Gmail, Hotmail, Yahoo Mail, etc.). Wrapping URLs in redirectors therefore allows Facebook to track clicks even when they are performed from the recipient external mailbox.

In our precise case, this serves a security purpose: even once malicious messages have been successfully emitted, users happily journeying toward the malicious final site from their mailbox can still be stopped at the redirector level.

It does make some sense. One may very well wonder if the cure is not worse than the disease, however. Indeed, web redirectors raise multiple security issues, which have been known since at least 2003 and have many times generated indignation in the ranks of the security industry.

Simply put, open web redirectors allow spammers, phishers, fraudsters, scammers and other cyber criminals to “wash” their malicious links with the name of a reputable site, fooling URI filters and human users alike.

Indeed, wouldn’t http://www.facebook.com/l.php?u=http://my%2Emalicious%2Esite%2Ecom be more likely to be trusted than http://my.malicious.site.com? This is where it all becomes ironic: since precisely this redirector is meant to wrap malicious links, Facebook might be seen as unwillingly giving an edge to cyber criminals without the later ones even being aware of it.

Granted, when going through Facebook redirector, users are presented a message stating:

“You are about to leave Facebook to visit this address: … For the safety and privacy of your Facebook account, remember to never enter your password unless you’re on the real Facebook web site.”

Let’s therefore grant Facebook’s the title of “semi-open redirector.” Yet, users are nowadays so much watered by warnings anywhere they click, that the efficiency of this one may be questioned. Besides, a base of social engineering (directly inherited from experimental social psychology) is that once the decision to perform the first click has occured, little events could reverse the process of commitment to reaching the destination.

So, automatic URL-wrapping, a good idea or a double-edged sword forced by Koobface’s pressure?