[Facebook] Bypass Linkshim in Product Checkout
An attacker managed Page could have added evil(.)org or any link which the Facebook Linkshim wouldn't allow.
POC -
Attacker adds a "Shop" button and a "Product" on his Page which will be later sent to a review done by Facebook.
After the review he can edit the "Product" and add any link in "CheckOut", which couldn't have been done before a review.
Any click made on the button would not have a linkshim trail.
Timeline -
Reported - Monday, February 4, 2019
Triaged - Thursday, February 7, 2019
Rewarded - Tuesday, May 7, 2019
Fixed - Wednesday, May 15, 2019