Facebook room deep linking vulnerability, allow malicious user to know the code for anyone’s…

4 months ago 19

Quel

Title
Facebook room deep linking vulnerability, allow malicious user to know the code for anyone’s meeting.

Vuln Type
Other

Product Area
FBLite

Description/Impact
This vulnerability requires a malicious actor to have an app that would steal code of facebook room calls via deep link, it could be any app that can implement this, and we cannot control what apps a user downloads/install but we can keep them safer by making our products more secure.

Facebook room has been a staple for a lot of people for quite a while now from corporate, class or even personal. I use this myself. But imagine someone not being invited just went inside your group calls or even worse, meetings, this has been a problem for other group calling apps and we have had different articles and reports about it.

Looking at the android manifest of fblite I found an interesting scheme and host, I immediately tried to make an application at Android Studio and copied the <intent-filter> at the sample app I’m making ,then parse the path segments of the link whenever a deep link used and display the code (the string that identifies your fb room).

In the sample app that I made it only displays it, but we could possibly bump it up to save it in a database like firebase. Another danger here is that we can have multiple rooms especially nowadays we would opt for it and some rooms would never get deleted and its just there and will only be gone if the user removes it, so its safe to say that all of the code (the string that identifies your fb room) we get is important and private.

This needs to be fixed in order for it not to be abused (if its not yet abused) since its very prevalent and can hurt the integrity of the platform like the issues in zoom calls. And sometimes users use facebook live embedded on fb room calls to share their meetings and if a malicious entity showed up it could be demeaning and hurt the integrity of the said organization.

- Privacy invasion
- Meeting bombing (like zoom bombing of meetings)
- Offensive speeches, acts, hate, fake news, explicit contents.

Repro Steps
Mobile app version: 271.0.0.6.119

Users: [User A]

Environment: [FB_ROOM A]

Browser: [N/A]

OS: [Android 11]

1. User A receives fb room link.
2. User A clicks the link, android phone might ask about what app should open it, or it is already default from the start.
3. Malicious App takes the code of the fb room link
4. Attacker Join the group call, shared explicit contents, Offensive acts etc.

Here is an unlisted video POC in youtube: https://youtu.be/uNnGw8O9w4g

Timeline:

October 8, 2021 — Report was sent

October 12, 2021 — Facebook Replied

“We have discussed the issue at length and concluded that, whilst you reported a valid issue which the team may make changes based on, unfortunately your report falls below the bar for a monetary reward.

This is because the victim would need to have a malicious application installed and to open the link via the malicious application instead of Facebook. While we do accept some scenarios that require a victim to have a malicious application installed, in those cases the possible impact is much higher than just entering a room where the victim still has the option to kick you out.”

October 12, 2021 — Closed as informative

Read Entire Article