This method allows me to impersonate any domain including Facebook domains.
Imagine an attacker can send a phishing page via chat that he controls and impersonate Facebook.
Or the attacker manages to attack other websites of which have send button and change source code “data-href” parameter on the website and every content users share will go to attacker website.
Proof of concept:
Just add the following code to your phishing page header.
<meta property=”og:url” content=”https://facebook.com/” />
<meta property=”og:type” content=”website” />
This could allow an attacker to impersonate any domain. He just needs to change the header of phishing page to the URL he wants to impersonate. This works via chat and via post.