The identity of logged-in user should not be identified throw different users,
A redirection endpoint allowed to determine if the user who’s visiting it is logged-in as the target Facebook user
scroll throw some request came to redirection endpoint
(https://www.facebook.com/accounts_center/iab_confirmation/?&uid=<FBID>&redirect_url=https://www.facebook.com/),
attempting to supply another FBID beside the current user resulted in an error. However, it appears to be an interesting for XS-Leak.
we can try make redirection to another website beside facebook.com,
trying to specify any website beside facebook.com
“redirect_url=https://anything.com” won’t work, (www.facebook.com) it’s the only whitelisted domain
another try Facebook use the links him for redirection
https://www.facebook.com/l.php/?u=<URL>
If we tried to use it as redirect_url to bypass the whitelisted domain
https://www.facebook.com/accounts_center/iab_confirmation/?&uid=<FBID>&redirect_url=https://www.facebook.com/l.php/?u=attacker.com
won’t work! the link shim use another parameter h=signature, if not included it will give an warning
https://www.facebook.com/l.php/?u=<URL>&h=signature
Even if we attempt to add a previously generated signature for another user
https://www.facebook.com/l.php/?u=attacker.com/1&h=signature
It still won't work; the signature is generated for that user only and won't work with other users.
another try there was an issue I came to it before allowed me to generate custom short URLs in this format like
attacker.com/111 = https://fb.watch/xyz
so trying it it worked
https://www.facebook.com/accounts_center/iab_confirmation/?&uid=<FBID>&redirect_url=https://www.facebook.com/l.php/?u=https://fb.watch/XYZ
Timeline:
June 27, 2023:Reported
June 27, 2023:Triaged
June 29, 2023:Bounty awarded (BountyCon)