Risk Inside Fb.me - Shorten External URLs with Fb.me

Fb.me is a Facebook URL shortener that shortens only Facebook URLs but I found that it's possible to shorten external links with Fb.me

Demo: http://fb.me/6t0KOXkR9

Proof of Concepts:

First connect your Twitter account with Facebook.

Next, if you update any status on FB,
a tweet is created on your Twitter with a link 
For Example:
http://fb.me/1lqKHloeI, if u follow the link it will redirects you to facebook url which is https://web.facebook.com/anas.mahmood.505/posts/2371744473051353?_rdc=1&_rdr
If u enter the link http://www.evil.com/ in FB status and update the status, a tweet is created without any link


Now enter this link in browser https://web.facebook.com/sharer/sharer.php?&u=http://www.evil.com and Post or update your status. 

Now go to twitter, you can see a tweet with a link " http://fb.me/6t0KOXkR9" Now visit this link, fb.me redirects to evil.com instead of https://web.facebook.com/anas.mahmood.505/posts/2391833044375829?pnref=story

So, when we update the status with a link through sharer.php, facebook shorten that external link with fb.me instead of fb post link.

So, attacker can shorten malicious URL or phishing links (Fb fake login page) with fb.me and may perform phishing attack.


Popular posts from this blog

XSS like a Pro

Email Spoofing for Beginners

DoS on WAF Protected Sites by Abusing Cookie