[Facebook] Get sharing URL from any post

This vulnerability allows anyone to get the sharing URL from any post which can even be the one you cannot access due to its privacy setting. But it only reveals the sharing URL, not the content or author of the post.

The hack is pretty simple. It takes place in the share script on the mobile platform.

https://m.facebook.com/sharer.php?sid=...

The script can take a parameter called “sid” indicating ID of the sharing object. The sid value will be used in POST content when sharing the post. It can be set to ID of any post that shares a URL (not applicable to sharing a post or other Facebook items with this vulnerability) and the post, surprisingly, could still be shared successfully afterward. Eventually, the sharing URL in the post with a known post ID is then revealed.

5 Aug 2013 – Reported to Facebook
12 Aug 2013 – Acknowledgement of report
1 Nov 2013 – Vulnerability fixed

Published by

alanyip

My name is Alan Yip, a programmer and security researcher from Hong Kong. I create tweaks for iOS and do security research.

Leave a Reply