Before we go in depth, lets know What is Linkshim ?
Linkshim is a feature/tool built by Facebook’s Integrity Team to protect the users from opening malicious links, The way it works, every time a link is clicked on the site, the link-shim will check that URL against an Facebook’s internally compiled list of malicious links, or against any of many external partners lists McAfee, Google and Web of Trust, etc…
If it appears that this URL is malicious, an interstitial page will be displayed before the browser actually requests the suspicious page warns the user of the nature of continuing to this link.
So Bypassing linkshim means sending any malicious URL to any Facebook user right?
Simply because I used chrome iOS URI scheme to bypass linkshim, So the only affected type of users who have chrome installed on their iPhones.
So what is URI scheme?
In information technology, a Uniform Resource Identifier (URI) is a string of characters used to identify a resource. Such identification enables interaction with representations of the resource over a network, typically the World Wide Web, using specific protocols. Schemes specifying a concrete syntax and associated protocols define each URI.
So simply the uri-scheme is the part before the colon in a URI
As example, https://www.seekurity.com/ the protocol here which is “https” is the uri-scheme we are talking about.
Apple’s iOS (iPhone and iPad Operating system) uses uri-schemes to redirect between apps so if you got twitter on your iPhone you might write on Safari’s address bar twitter:// then click go, Safari browser will launch Twitter app!! What a surprise!
chrome uri-scheme on iOS working exactly the same, that googlechrome://example.com will first launch google chrome then point the browser to navigate to url “http://example.com”
So bypassing linkshim is such an easy thing isn’t it?!
Easy enough but Facebook won’t consider redirecting to google chrome browser because simply this is not their issue! But let’s take everything apart: https://l.facebook.com/l.php?u=googlechrome://example.com/
Red: is Facebook’s responsibility
Green: is the OS responsibility
Blue: is the link owner’s responsibility
So who to blame here? The innocent user?!
The result of clicking on the above link on Facebook app on iOS would lead the innocent user Facebook app to launch Chrome then redirect chrome to open http://example.com/ RIGHT!!
NOPE, We are not there as of yet! We didn’t actually bypass it, Linkshim is a wild cat and won’t allow us to use such protocols *SAD* :/
BUT I managed to find that Linkshim allowing ALL protocols that contains dots *INTERESTING* Isn’t it?!
So all what we need is to put a dot in uri-scheme to fool our wild cat to proceed! eg. google.chrome://example.com/
Are we done?
Not yet, Don’t go away please because that’s not gonna work on iOS and our Chrome app launch won’t succeed.
So I downloaded the IPA of chrome for iOS on my PC, Decompiled it to find other chrome uri schemes, Then guess what I managed to find that “com.google.sso.chrome.stable://” will work like a charm which appears to be the package name of Chrome App! Whooha!
WOW, I can’t believe it, All those dots and all I needed was just one to lead me in!
I know that you got tired and you want the final proof of concept link, Here it is as prize for your patience: https://l.facebook.com/l.php?u=com.google.sso.chrome.stable://example.com
That’s a literal bypass Facebook linkshim!
All that glitters is not gold…
I reported this bug to Facebook Security Team and it got rejected but they fixed it
However this bug might be still exploitable because Linkshim still allowing dots on uri-scheme part. Well, It got rejected so i decided to move on and try something else.
My advise to you is to test it yourself, You might have a better mindset or another interesting attack vector, See ya 😉
A minute if you please!
Building a website, an application or any kind of business? Or already have one? Worried about your security? Think twice before going public and let us protect your business!