Facebook android vulnerability: Launching internal/tighten deeplink onbehalf of user
In Facebook android, Ad creation deeplink ads_lwi_coupon_interstitial has the parameter landing_page and uri passed to this param was not being validated so any internal/tightened deeplink passed to it could be launch on “Get Started” button pressed on UI.
Vulnerable deeplink:
fb://ads_lwi_coupon_interstitial/?ad_account_id=1&page_id=&landing_page=fbinternal://rninternalsettings&entry_point=home
Mobile app version: 342.0.0.37.119
Reproduction steps:
- Create intent using third party app or html page with deeplink
1
fb://ads_lwi_coupon_interstitial/?ad_account_id=1&page_id=216662095206780&landing_page=fbinternal://rninternalsettings&entry_point=home
- Launch deeplink/app
- Click on
Get Started - It will open internal settings.
Proof of concept:
Timeline:
- 31/10/2021: Reported
- 03/11/2021: Triaged
- 06/12/2021: Fixed
- 02/02/2022: Reward $3000 + $225 (Silver Bonus) + $300 (delay bonus)
This post is licensed under CC BY 4.0 by the author.