Hello all, hope all is well on the other side of the terminal. :=}
I will be writing about a report sent to Facebook which was marked as NA. Feel free to use this if you wish as it is not “worth” by Facebook.
I am a bit short of time so I will try to make this very crisp and short. And sorry for any mistakes in grammar as I have posted it in one sitting.
Recently I saw some Facebook phishing bugs which got accepted by FB especially , Rahul Kankrale’s report .
I reused a method known as Fullscreen API Attacks floated by Feross Aboukhadijeh about seven years back.
You can read about his post here to learn more about this attack. Thanks to him for his excellent work. (must read.)
Using the HTML5 Fullscreen API for Phishing Attacks " Feross.org
Quick! Click this link to Bank Of America. There's nothing fishy about it at all! I promise! Go ahead - hover your…
This issue was more of a browser issue at that time. Now most of them have fixed it like Chrome , Safari and Firefox by showing the site has gone to fullscreen or show time gap when going to fullscreen.
Later I realized that FB Android app also has inbuilt browser.
The Facebook browser never shows any delay nor any warning while going to fullscreen mode. So there was possibility to do phishing. I tested it with some friends and about half were victims of this method.
After some ok and no’s with the security team , it was marked as NA. What they said was that the url shows third party site while loading so it’s not an issue.
Due to time constraints I am directly giving the POC. YOU be the judge. (The initial link in video asks to “Signup to FB to Continue”).
Spread LOVE. Bye .