Downloading any file via Facebook for Android

Home > Blog > Meta

Downloading any file via Facebook for Android

Summary

The Facebook android app utilises deeplinks throughout the whole application.
I stumbled upon a deeplink which opens any given video url in your default media app, expected behaviour except this endpoint did not validate the file type or it's source. Crafting together a fb:// deeplink I could initiaite a download for certain file types from within the Facebook process.

Example

The affected deeplink fb://video/?href={LINK TO FILE}

Below demonstrates the Facebook application downloading a random apk file, as ES File explorer is installed we're able to save and launch the downloaded file.

The limitation of this vulnerability is that the end user is required to have a file manager installed. Depending on the file manager it may allow the file to be downloaded without user interaction.


Timeline - Key dates

  • Reported to Facebook - 21 Oct 2018
  • First Response - 23 Oct 2018
  • Triage - 14 Nov 2018
  • Fixed - 30 Nov 2018
  • Bounty Received - 6 Dec 2018

Response From Facebook Security Team

Hi Ash King

After reviewing this issue, we have decided to award you a bounty of $750. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd.

Getting an Android user to open a fb://video/?href= link will result in their phone automatically downloading the linked file if they have a file manager installed.

Thank you again for your report. We look forward to receiving more reports from you in the future!


Comments

about me

31 year old multistack developer & security researcher based in Gosport, UK. I like to blog about interesting vulnerabilities I come across, when allowed 🙄