Thursday, 27 March 2014
One comments

Javascript Injection Found On Facebook

Javascript Injection Found On Facebook, the bug was founded by Manjesh S. Facebook security team also gives bug bounty to Manjesh. He shared the tricks with HOC that how he found the bug in Facebook.

Description:
The bug was at Facebook badges and was a SELF stored injection also it was limited to only 10 characters.
I didn't found any XSS javascript which is within 10 characters and this was the main problem I was having.

When I send a request with just text : Manjesh
I was getting the output as : <div class="badge_holder bh_Manjesh">
This is it!! I was able to inject something on a DIV tag..
So lets checkout how I did it!!

Steps to Reproduce:

    Go to https://www.facebook.com/badges/profile.php?creating
    Click save and modify the POST request-
    the parameter "layout" is not filtering anything, so put the small javascript payload or any HTML payload
    For example: "><b>M</b>
    After submitting it , the script will be executed on the browser ;)




 

Even though I was not able to do XSS, I reported this as an XSS/self stored HTML injection and this was the reply from Facebook:

So it was partially rejected , there is no scope for HTML injection and as I didn't had any proof to show XSS is possible..

So what can be done with just 10 chars injection ?? No XSS possible??

Finally I didn't found any xss stuffs within 10 chars but came up with a logical Idea :D

If I am able to execute <noscript> then I could hide all the badges created, but <noscript> didn't worked instead "><script> worked!!

So here is my logical report:

So lets assume USER-A account is hacked by USER-B

USER-B goes to https://www.facebook.com/badges/profile.php?creating
and checks email,mobile no etc..
and gets the link, the link would be like :
https://www.facebook.com/badge.php?id=USERID&bid=BADGEID&key=KEY&format=png&z=11

USER-B will be able to get the email,mobile no. etc.. with this link remotely.

So USER-A will recover this account with forgot password and USER-A
will change all his email,mobile no etc..

Now USER-B can get his changed email,mobile no with the link
https://www.facebook.com/badge.php?id=USERID&bid=BADGEID&key=KEY&format=png&z=11

Yes this link will wont work if badge is deleted, but if we create a
badge by sending POST request as said with this payload :

 "><script>

will make it invisible to the USER-A, he will never get to know that
badge is leaking all his private data..

also USER-A wont be able to delete the badge as he wont be able to
know that there is a badge hidden even when he goes to https://www.facebook.com/badges/profile.php ..



 

This bug got accepted by facebook and it was fixed very quickly :D

About The Author: 
Manjesh S, Working as Security researcher.

1 comments:

 
Toggle Footer
Top