dw1 dw1
Aku datang tuk kebumikan gayamu yang selangit!

Open-redirect on Facebook (Bypass Linkshim)

TL;DR

      My Facebook personal account is blocked for up to a month because violating Facebook community standards for over-shitposting, LMAO. I can’t do anything to my account, such as update/share status, comment on status, like pages, add/accept friend requests, etc., the only thing I can do is see all the statuses of friends on my homepage, I feel like a fucking CIA agent. At first, I tried opening Facebook with a mobile browser (m.facebook.com) due to downloading my friend’s story. I see this story through the Home page, if we look at the story automatically we will see the next story list of my friends in a certain time.

What is Linkshim?

facebook_linkshim

      Every time a link is clicked on the site, the link will check that the URL against Facebook has its own internal list of malicious links, along with the lists of numerous external partners including McAfee, Google, Web of Trust, and Websense. If Facebook detects that a URL is malicious, Facebook will display an interstitial page before the browser actually requests the suspicious page.

Read the full explanation in this note: https://www.facebook.com/10150492832835766.

Proof of Concept

      Then I decided to see the story through the profile page directly. When I click the profile picture, the endpoint story will be generated as follows:

https://m.facebook.com/story/view/?bucket_id=:bucket_id&viewer_session_id=:session_id&exit_uri=/profile.php?id=:profile_id

Vulnerable parameter: exit_uri

I don’t see this parameter if I see stories through the Home page. This parameter works like a URL callback, if we have seen all the available stories, then we’ll be directed to value of exit_uri. I changed value of the parameter to “http://evilzone.org”. And it works! Page redirects on the site, there is no linkshim filter.

it_works_linkshim_bypass

Should be noted, Facebook doesn’t consider vulnerability of open-redirect if the payload URL is shortened. In other words, Facebook doesn’t check 2 or more levels deep, because users can shorten the URL to 100 levels, makes sense.

facebook_bugbounty_reward

Timeline:

- 19-01-2020 - Vulnerability reported.
- 20-01-2020 - The Facebook team reproduces & investigates the vulnerability.
- 21-01-2020 - Triaged.
- 11-02-2020 - Resolved. Vulnerability has been patched.
- 12-02-2020 - Bounty rewarded.

comments powered by Disqus