This hacker hacked Facebook with XSS script and got $20000 from them

0

Hacker used a vulnerability in Facebook Login SDK for JavaScript to mount Cross-Site Scripting (XSS) attack on Facebook.com domain, got $20,000 (Rs.15.00 lakhs)

An Indian hacker named Vinoth Kumar was able to hack into Facebook using a vulnerability in the Facebook Login SDK for JavaScript. He used a Cross-Site Scripting (XSS) attack to successfully mount a hack on the Facebook.com domain.

Vinoth Kumar works with the HackerOne guys and is mostly into finding open dashboards and credentials. This one time he decided to venture into something different. “I think DOM XSS through postMessage is an underrated vulnerability and mostly unnoticed by a lot of bug bounty hunters,” he says in his blogpost.

Vinoth says he started looking for XSSI, JSONP & postMessage vulnerabilities but quicky dropped XSSI & JSONP from his list. Both the vulnerabilities are as good as dead after the SameSite cookie was introduced2. So he dug deep to find postMessage vulnerabilities as these are mostly ignored by security researchers but are very easy to debug.

Vinoth visited Facebook.com looking for postMessage vulnerabilities. Normally a website uses an iframe communication on widgets, plugins, or web SDKs. Vinoth started poking around with the Facebook third-party plugins for vulnerabilities. This is when he noticed that the Facebook Login SDK for JavaScript creates a proxy iframe v6.0/plugins/login_button.php for cross-domain communication. In the iframe, Facebook renders the Continue with Facebook button.

Vinoth found it interesting that the javascript SDK sends an initial payload to the proxy frame which contains the button’s click URL.  When the SDK communicates with Facebook plugin iframe the URL param is sunk to an i variable and when the button click event triggers the below function is getting executed.

Vinoth immediately knew that he could exploit this feature with a Cross-Site Scripting (XSS) payload. He found that window.open(‘javascript:alert(document.domain)’) DOM XSS could be exploited and there’s no URL/schema validation in the javascript. He found that if he sent an XSS payload with the following command:

URL:’javascript:alert(document.domain)’

to https://www.facebook.com/v6.0/plugins/login_button.php iframe and if the user click’s the Continue With Facebook button the javascript: alert(document.domain) would be executed on the Facebook.com domain.

Exploiting the Iframe to hack Facebook.com

There are two ways to exploit this issue.

  • By opening a pop-up window and communicating with it

  • Opening an iframe and communicating with it

He has already listed the PoC on his blogpost. As this endpoint intentionally missing the ‘X-Frame-Options’ or the CSP ‘frame-ancestors’ header, this page could easily be embedded into the attacker’s page.

Fix

Facebook fixed this by adding the Facebook.com regex domain and schema check in the payload URL param.

d = b(“isFacebookURI”)(new (g || (g = b(“URI”)))(c.call.url)),
j = c.call;
d || (j.url = b(“XOAuthErrorController”).getURIBuilder().setEnum(“error_code”, “PLATFORM

Proof of Concept video

Vinoth says that someone visiting an attacker-controlled website and clicks login with the Facebook button would trigger XSS on the Facebook.com domain on behalf of the user who has already logged into Facebook. Once the conditions are met, this would mean a 1-click account takeover of Facebook.com.

Vinoth then approached the Facebook security team which acknowledged the vulnerability and awarded him $20,000 as a bug bounty for finding the flaw.

Share.

About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments