Facebook open graph vulnerability impersonate domains

This method allows me to impersonate any domain including Facebook domains.
Imagine an attacker can send a phishing page via chat that he controls and impersonate Facebook.
Or the attacker manages to attack other websites of which have send button and change source code “data-href” parameter on the website and every content users share will go to attacker website.

Proof of concept:

Just add the following code to your phishing page header.

<meta property=”og:url” content=”https://facebook.com/” />
<meta property=”og:type” content=”website” />


Olá Diogo, Your report appears to describe a social engineering attack against Facebook users and infrastructure. Although we appreciate the report, such issues do not qualify under our bug bounty program. Agradecemos que tenhas contactado o Facebook. Rita Security

This could allow an attacker to impersonate any domain. He just needs to change the header of phishing page to the URL he wants to impersonate. This works via chat and via post.


Be First to Comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.