Anthony Richa

Published On: 12 Jul 2021

$500

Linkshim Bypass

Other
Facebook | Web
---
MEDIUM VALID
Description

Q: Who can be affected by this issue? A: Anyone. Q: Why is this a problem? A: This can be abused to redirect users to any harmful website.

Impact

Attacker could redirect any Victim to a desired malicious website / banned website like (evilzone.org).




Reproduction Steps

Step
1

Open Facebook with Google Chrome or Chrome for Android.

Step
2

Go to https://m.facebook.com/messagingconfirmation?action_url=https://evilzone.org .

Step
3

Click Delete

Step
4

That's it :)

OS & Application Version:

Windows 10 Google Chrome 87.0.4280.141 (64 bit) P.S: This wont work on Safari or other Browsers.


Videos

Timeline
.
Anthony 24 Jan 2021

Report Submitted.

.
Facebook 27 Jan 2021

Managed to Reproduce! Thank you for your submission. We've managed to reproduce your report and will get back to you once we have had a chance to investigate.

.
Facebook 27 Jan 2021

Unable to Reproduce I'm unable to reproduce this on the latest Chrome 88.0.4324.96 + macOS. The site is correctly linkshimmed which you can confirm by checking the U ... See More

.
Anthony 27 Jan 2021

Still able to Reproduce I'm still able to reproduce this on the latest Chrome Version 88.0.4324.104 (64bits) on Windows 10. I have used Normal / Incognito mode to ensur ... See More

.
Facebook 27 Jan 2021

More Investigation! Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Anthony 27 Jan 2021

Looking for Feedback Looking forward for your feedback!

.
Anthony 01 Feb 2021

Update Request Any updates on this?

.
Facebook 01 Feb 2021

No Update There is no update to provide on this report yet. We'll let you know as soon as we have an update ready. Thank you so much for your patience.

.
Anthony 11 Feb 2021

Update Request Any updates on this?

.
Facebook 11 Feb 2021

Fixed We have looked into this issue and believe that the vulnerability has been patched by removing this parameter altogether. Please let us know if y ... See More

.
Anthony 11 Feb 2021

Confirmation This is to confirm that the bug i reported has been patched as indicated in your above message. I just ran a test and proved that.

.
Facebook 16 Feb 2021

Bounty Awarded! After reviewing this issue, we have decided to award you a bounty of $500. Below is an explanation of the bounty amount. Facebook fulfills its bo ... See More

VALID