Facebook Leak Referrer Data

I’m glad you’re here. Please have fun reading (@nmochea).

While finding a facebook vulnerability I visited this interesting link with a back uri parameter endpoint

https://facebook.com/privacy/checking/blocking/?back_uri =

So I view the source code and read it. After reading it i found out the url endpoint in the source code does not passing by linkshim, so by adding

https://mydomain.com/login.php

at the endpoint the result like this

https://facebook.com/privacy/checking/blocking/?back_uri = https: //mydomain.com/login.php

you can easily redirect the facebook page without linkshim the redirect works.

What is Linkshim

Every time a link is clicked on the site, the link will check that the URL against Facebook has its own internal list of malicious links, along with the lists of numerous external partners including McAfee, Google, Web of Trust, and Websense. If Facebook detects that a URL is malicious, Facebook will display an interstitial page before the browser actually requests the suspicious page.

Read the full explanation in this note: www.facebook.com

Setup

User: UserOne {Owner: UserOne }

Environment: owner UserOne

Platform: Facebook sites

Step to Reproduce

  • From any web browser goto www.facebook.com , login as UserOne.
  • Open this facebook link

https://facebook.com/privacy/checking/blocking/?back_uri=https%3a%2f%2fmydomain%2ecom%2flogin%2ephp

  • From the left top header click back button
  • Then facebook page redirect to without linkshim

https://mydomain.com/login.php

Vulnerability Disclosure

Oct-13-2020: I reported this vulnerability issue in facebook whitehat page.

Oct-13-2020: The Facebook team reproduces & investigates regarding the vulnerability issue.

Oct-16-2020: The vulnerability has been patched by adding linkshim.

Oct-22-2020: Bounty Rewarded

Security Researchers