In Facebook android, Ad creation deeplink “ads_lwi_coupon_interstitial” has the parameter “landing_page” and uri passed to this param was not being validated so any internal/tightened deeplink passed to it could be launch on “Get Started” button pressed on UI.
Vulnerable deeplink:
fb://ads_lwi_coupon_interstitial/?ad_account_id=1&page_id=&landing_page=fbinternal://rninternalsettings&entry_point=home
Mobile app version: 342.0.0.37.119
Reproduction steps:
- Create intent using third party app or html page with deeplink “fb://ads_lwi_coupon_interstitial/?ad_account_id=1&page_id=216662095206780&landing_page=fbinternal://rninternalsettings&entry_point=home”
- Launch deeplink/app
- Click on “Get Started”
- It will open internal settings.
Proof of concept:
Timeline:
31/10/2021: Reported
03/11/2021: Triaged
06/12/2021: Fixed
02/02/2022: Reward $3000 + $225 (Silver Bonus) + $300 (delay bonus)