- 2 Exploiting the Iframe to hack Facebook.com
- 3 Fix
- 4 Proof of Concept video
Vinoth Kumar works with the HackerOne guys and is mostly into finding open dashboards and credentials. This one time he decided to venture into something different. “I think DOM XSS through postMessage is an underrated vulnerability and mostly unnoticed by a lot of bug bounty hunters,” he says in his blogpost.
Vinoth says he started looking for XSSI, JSONP & postMessage vulnerabilities but quicky dropped XSSI & JSONP from his list. Both the vulnerabilities are as good as dead after the SameSite cookie was introduced2. So he dug deep to find postMessage vulnerabilities as these are mostly ignored by security researchers but are very easy to debug.
Exploiting the Iframe to hack Facebook.com
There are two ways to exploit this issue.
By opening a pop-up window and communicating with it
Opening an iframe and communicating with it
He has already listed the PoC on his blogpost. As this endpoint intentionally missing the ‘X-Frame-Options’ or the CSP ‘frame-ancestors’ header, this page could easily be embedded into the attacker’s page.
Facebook fixed this by adding the Facebook.com regex domain and schema check in the payload URL param.
d = b(“isFacebookURI”)(new (g || (g = b(“URI”)))(c.call.url)),
j = c.call;
d || (j.url = b(“XOAuthErrorController”).getURIBuilder().setEnum(“error_code”, “PLATFORM
Proof of Concept video
Vinoth says that someone visiting an attacker-controlled website and clicks login with the Facebook button would trigger XSS on the Facebook.com domain on behalf of the user who has already logged into Facebook. Once the conditions are met, this would mean a 1-click account takeover of Facebook.com.
Vinoth then approached the Facebook security team which acknowledged the vulnerability and awarded him $20,000 as a bug bounty for finding the flaw.