Hello,

Its me, Ajay Gautam, Security Researcher at SayCure . During my weekend I have been looking security issues on facebook, but nothing cool was discovered by me. One day I have been chatting with my colleagues using facebook messenger, we were sharing our achievements and jobs status. During that moment, colleagues asked me that he was interested in company where i am working. Then, i sent him my company official site but slightly in different way for fun, and i clicked the link myself too to review my company website but i was surprised that, it redirected to a homograph link rather than my company sites.

SO, What is the homograph attack ?

According to Wikipedia “The internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike (i.e., they are homographs, hence the term for the attack, although technically homoglyph is the more accurate term for different characters that look alike). For example, a regular user of example.com may be lured to click a link where the Latin character “a” is replaced with the Cyrillic character “а”.”

How I was able to reproduce the homograph attack on Facebook?

When I send a link like this ‘ 😃facebook.com’ in messenger or WhatsApp then when a user open the site by clicking 😃facebook.com then it did not redirected to facebook.com but was redirected to homograph site like http://xn--facebook-ti75g.com/.

What is the impact of this bug ?

Lets suppose I buy a domain with http://xn--facebook-ti75g.com/ this name, when a user send message like ‘😃facebook.com’ with emoji attached, then while user clicks his own sent link, he can be a victim of the homograph attack. In this scenario attacker doesn’t need to send any link to the victim, meanwhile, user of Facebook as we called here victim can be a victim by himself as well as attacker could target to particular person by sending such links.

I reported this issue to facebook but this the reply from fb security team

Hi Ajay, We are aware of homograph URLs and the potential risks they pose. We have automated systems in place to detect and prevent abusive/malicious domains/URLs. What you’re describing is a social engineering attack against people, which is not in scope for our program. Thanks,

Video POC showing the attack :