SECRY – Facebook URL spoofing vulnerability – A security researcher identified a URL spoofing vulnerability in Facebook’s Android application (FB4A). This flaw could potentially enable malicious users to manipulate the URL bar in various Facebook Android apps.
The exploit involved the use of a crafted HTML file and JavaScript snippet, causing a continuous redirection to a different domain. By skillfully navigating to an alternative domain in the original tab after opening a new tab, the attacker could spoof the URL bar, creating a phishing scenario.
The researcher reported the issue to Facebook on 9th October 2018. After an initial closure, it was later triaged on 16th October 2018, but classified as a social engineering attack. Subsequently, the researcher chained it with another vulnerability, aiding in overcoming the social engineering classification.
This prompted Facebook to officially triage the report on the same day. Further submissions of the Proof of Concept for Instagram and Messenger followed. Facebook acknowledged their ongoing work on related issues in February 2019.
The Facebook URL spoofing vulnerability was eventually fixed on 18th March 2019, accompanied by a $1500 bounty. However, the researcher persisted, submitting a bypass with a 5ms delay on 19th March 2019. After a re-triage, Facebook confirmed the complete fix on 15th April 2019, earning the researcher an additional $1500 for second bounty. The fix was acknowledged and added to Facebook’s Hall of Fame for both 2018 and 2019 on 24th April 2019.
This incident highlights the importance of continuous vigilance in identifying and addressing potential security vulnerabilities in widely used applications.
Link to read full write up: here
Save the PDF here