The story of this write-up “Facebook Link Shim Security Bypass” came into existence when there were lots of phishing attacks going-on in the market, Still attacks are in market I must say. 😀

At that time, Facebook came up with an added layer of security. When a user is getting redirected to a malicious site, Facebook will block it immediately and won’t allow a user to go forward.

Screen Shot from my reported PoC

I was hunting for bugs and thought to get my hands on Facebook. Soon, I was landed on the page which says the “Link Blocked” which is shown above. It caught my attention I try to bypass it.

So, my aim was to bypass the security check and directly land on the malicious site or any other website. The link was looking pretty simple with destination site name and token value.

https://xxx.facebook.com/xx.php?u=https://malicioussite&h=TokenValue

By replacing the name in link with a trusted site like “Google.com“, Facebook will let you go ahead and redirect you on it. But, when you give a site like “Evil.com” it will block you.

Reconnaissance

First, I started to learn the mechanism that how this works? I created a list of sites which were similar like the one, i.e. “Evil.com” and which was getting blocked by Facebook.

Soon, I ran out of all sites from my list and now all of them are getting blocked. But, one thing I noticed that many of the sites were getting redirect successfully and when I try to reproduce it, Facebook was blocking that site. So, it was working for the first time and then it is getting blocked.

There can be only one reason behind it that Facebook was adding such site to its blacklist. If a site is not listed in its blacklist, then Facebook will successfully redirect you for the first time. But, when you try to reproduce it, then you will get blocked as that malicious site will get added to the blacklist.

Facebook Link Shim Issue 1:

So, the next challenge was to use the blacklisted sites again to reproduce the issue because buying a new domain name or creating a new site which can work only for one time is not worth, Right!

I thought, why can’t I try link shortner? So, I opened google link shortner and generated a link. Loaded the main link with it and BOOM…it got redirected. But, it was also getting blocked after one-time use. Also, you can only generate one short link, if you try to generate another link with the same website then it will not.

So, I came-up with the idea to use Upper and Lower case letter. “Evil.com” or “eVil.com” or “EvIl.CoM“, “http://” or “https://“, all this will land you to the same site.

Great, In this way I can create multiple short links to the same site and they can be used with the Facebook main link. 🙂

Facebook Link Shim Issue 2:

Another issue I found was in “Token”, Facebook link contains a token which was not getting expired. Due to this issue, the same link can be used multiple times to redirect.

No need to click on “Follow link” button now, it will directly lands you on the other site.

It was a complete Open Redirect in Facebook. I bypassed Facebook Security which was blocking the site and also bypassed the need to click on “Follow link” button.

Submitting it to Facebook

Finally, submitted to Facebook.

Facebook – Rejected and challenged me to redirect blacklisted site

Facebook Link Shim vulnerability conversation 1
Part of conversation – ScreenShot on my device

Me – Accepted the challenge and showed by redirecting to blacklisted site

Facebook – Accepted that they cannot mitigate the issue and said they provide a reasonable level of checking. ( Cool…:P)

Facebook Link Shim vulnerability conversation 2
Facebook accepting that it is difficult to mitigate – Screenshot on my device

No Bounty was Awarded…No Hall of Fame…as they don’t accept Open Redirect….Yeeeeyyy…what about security bypass??!! Learned a lot, Thank you Facebook 😛

Current Updates:

Facebook has removed that malicious site blocking function, also new token is getting authentication for a new user account when getting redirected. So, anyone sends such link, then Facebook will authenticate the token and if it is not a valid one, then generate new one and shows the page with the option “Follow link”.

Proof of Concept Video:

PoC Submitted to facebook

Hope you liked the blog, below are few more topics regarding Facebook which you would like to read.

How to protect your Facebook account from hackers in 2019?

Get a reward of $40,000 for finding ways to hack Facebook ,whatsapp and Instagram accounts