Summary
The Facebook android app utilises deeplinks throughout the whole application.I stumbled upon a deeplink which opens any given video url in your default media app, expected behaviour except this endpoint did not validate the file type or it's source. Crafting together a fb:// deeplink I could initiaite a download for certain file types from within the Facebook process.
Example
The affected deeplink
fb://video/?href={LINK TO FILE}
Below demonstrates the Facebook application downloading a random apk file, as ES File explorer is installed we're able to save and launch the downloaded file.
The limitation of this vulnerability is that the end user is required to have a file manager installed. Depending on the file manager it may allow the file to be downloaded without user interaction.
Timeline - Key dates
- Reported to Facebook - 21 Oct 2018
- First Response - 23 Oct 2018
- Triage - 14 Nov 2018
- Fixed - 30 Nov 2018
- Bounty Received - 6 Dec 2018
Response From Facebook Security Team
Hi Ash King
After reviewing this issue, we have decided to award you a bounty of $750. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd.
Getting an Android user to open a fb://video/?href=link will result in their phone automatically downloading the linked file if they have a file manager installed.
Thank you again for your report. We look forward to receiving more reports from you in the future!
Follow @AshleyKingUK