Pierluigi Paganini February 01, 2016

A security researcher has discovered a serious XSS flaw that could have allowed attackers to take over users’ Facebook accounts.

The security expert Jack Whitton reported a critical XSS vulnerability to Facebook that could be exploited by hackers to take over users’ Facebook accounts. The researchers reported the flaw to Facebook in July 2015, and the company fixed the problem in just 6 hours.

Facebook rewarded $7,500 the expert for the flaw under its bounty program.

The researcher’s attack method has two main aspects: one related to content types and a DNS issue.

Whitton first attempted to get an uploaded file to be interpreted and he discovered that under specific conditions it’s possible by changing the file extension to .html.

Whitton discovered that while the extensions of photos and videos uploaded to Facebook cannot be modified, the extensions of advertising images uploaded via the Ads Manager could be changed.

The expert wrote embedded an XSS payload into a PNG image’s IDAT chunk, which differently from Exif and iTXt data, were not removed by Facebook.

However, files are stored on Facebook’s content delivery network (CDN), which is sandboxed, this means that malicious code in the image can’t read web data such as session cookies from facebook.com due to the same-origin policy.

Whitton discovered a way to upload a hidden script to the CDN, and then to retrieve that script via specific crafted URL that looks like harmless that a user could be tricked into clicking from a facebook.com domain.

In order to make requests to facebook.com directly, Whitton found several Facebook plugins that are designed to be included in an iframe, which bypasses CSRF protections and allows an attacker to steal authentication token and act on the user’s behalf simply by getting the victim to click on a link.

“What we now need to do is load the plugin inside an iframe, wait for the onload event to fire, and extract the token from the content.” Whitton explained in a blog post. £We now have access to the user’s CSRF token, which means we can make arbitrary requests on their behalf (such as posting a status, etc).”

If the user were logged in, the malicious script could allow impersonating the victim and access his data.

Pierluigi Paganini

(Security Affairs – Facebook, XSS)