Jump to content

Search the Community

Showing results for tags 'og:url'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 1 result

  1. Author: Barak Tawily While we are on Facebook, we are often share links to external sources, like Youtube, Google Drive, Instagram, or any other websites. Many people think that Facebook links are quite reliable, but are they? Facebook users can send those links via post or privately over Messenger, as you can see on the following images: So how exactly preview link feature works? When a user is about to post a link, he pastes it on Facebook, which detects it as a URL, then Facebook bot called “Facebook External Hit”, fetches a GET request to the supplied link and extract the relevant data from the HTML content such as preview image, title, description, and origin domain. The link’s preview data is the only information supplied to the user before clicking it. In case the preview data is fake, it is super useful for phishing campaigns/ads/click fraud (pay-per-click)/Malvertising, just few days ago, I read this article about gigantic ad fraud on MySpace. So after exploring this feature, I managed to understand how exactly the preview data was fetched, and what Facebook bot is looking for in the HTML content. Facebook’s bot is looking for specific HTML tags, some of the tags it is looking for, are the “meta” tags, specifically with values “og:url” , “og:image” and “og:title” in the “property” attribute. Due to lack of validation between the “og:url” content attribute to the origin domain retuned the HTML, it is possible to abuse this feature via crafted meta tags, so in case someone supplies to Facebook bot a URL that returns HTML with those crafted tags which contain fake data of another website (let’s say Youtube), the preview data will look like a Youtube song (or any other targeted page over the internet), but the actual link will lead victims to the URL containing the malicious HTML. An example of HTML that fakes Youtube song link: In my opinion, all Facebook users think that preview data shown by facebook is reliable, and will click the links they are interested in, which makes them easily targeted by attackers that abuse this feature in order to perform several types of attacks as I mentioned above (phishing campaigns/ads/click fraud pay-per-click). I reported Facebook about this issue but unfortunately they refuse to recognize it as security issue and replied: In addition, Facebook replied that the links posted are validated via system called “Linkshim”, in order to avoid phishing and malicious websites, but faking the meta tags is not considered as malicious activity. I explored how Linkshim works, which is probably part of the “Facebook External Hit” bot, I tried to publish a link that redirects user’s browser to “evilzone” but it was detected and removed (as shown the PoC video), then I thought, what if I supply Facebook bot just a normal fake HTML without any malicious code, but supply victims the malicious HTML? PoC video: The following code bypasses Linkshim system by detecting the bot request via User Agent (you can do so via detecting IP) and supply HTML with non malicious content while supplying the malicious HTML to victims: https://pastebin.com/kwc3MJuv mirror: In this article I did not show real-life attack scenario and didn't abused this feature for real malicious activity, but there is plenty ways to exploit this vulnerability in order to perform several types of attacks like stealing sensitive information like credentials/credit cards. In summary, I hope this post will make Facebook users aware of this issue and make Facebook addressed those vulnerabilities. Source: https://baraktawily.blogspot.nl/2017/10/can-you-trust-facebook-links.html
×
×
  • Create New...