Risk Inside Fb.me - Shorten External URLs with Fb.me


Fb.me is a Facebook URL shortener that shortens only Facebook URLs but I found that it's possible to shorten external links with Fb.me

Demo: http://fb.me/6t0KOXkR9
 



Proof of Concepts:


First connect your Twitter account with Facebook.

Next, if you update any status on FB,
a tweet is created on your Twitter with a link 
For Example:
http://fb.me/1lqKHloeI, if u follow the link it will redirects you to facebook url which is https://web.facebook.com/anas.mahmood.505/posts/2371744473051353?_rdc=1&_rdr
OK.
If u enter the link http://www.evil.com/ in FB status and update the status, a tweet is created without any link


OK


Now enter this link in browser https://web.facebook.com/sharer/sharer.php?&u=http://www.evil.com and Post or update your status. 


Now go to twitter, you can see a tweet with a link " http://fb.me/6t0KOXkR9" Now visit this link, fb.me redirects to evil.com instead of https://web.facebook.com/anas.mahmood.505/posts/2391833044375829?pnref=story



So, when we update the status with a link through sharer.php, facebook shorten that external link with fb.me instead of fb post link.



So, attacker can shorten malicious URL or phishing links (Fb fake login page) with fb.me and may perform phishing attack.

Comments

Popular posts from this blog

XSS in Zoho Mail

A Tricky Open Redirect

Email Spoofing for Beginners