Thursday, January 3, 2013

Another Stored XSS in Facebook.com

Another Stored XSS in Facebook.com, Another 3500$ Bounty

Hi,


I want to share my Stored XSS finding in facebook.com,


First of all, I must mention discovering Stored XSS issues in facebook.com is quite rare these days , 
For a start I would like to present some steps that I have made to make this Stored XSS Work,
Currently, If you want to open a page (facebook.com/pages/create.php) with a malicious Page Name (Javascript Payload), You get blocked by automated system:

 (I'm "sure" there might be a bypass, I didn't spend time to test it yet). 

1. I was able to use another feature in order to bypass the protection and therefor change the page title name by using Facebook Api for Updating Page Attributes (https://developers.facebook.com/docs/reference/api/page/#page_access_tokens), (The Pages API is just a Hint :)),
  
In this case, I changed my Page Title name to "malicious" javascript payload (<img src="xx.jpg"onerror=alert(6)>),


2. In Facebook Pages, You can Add Application to your Page by using  Adding To A Page Box:




When you add a tab to your page, Facebook will display which pages you own/manage by the title of each page,

As a result of that situation I was able to execute a Stored XSS, (Facebook didn't filter the Page Title Name),




Now it seems to be only a Self Stored XSS, although In Facebook Pages You can use the Admin Roles Settings to add admins to your Page.
  In this situation, I added the victim to be the administrator of my "malicious page", The victim didn't need to accept this admin request, it will be added automatically to my Page, So now I was able to exploit this XSS By sending a Single link to the Victim

https://www.facebook.com/add.php?api_key=124024574287414&pages=1&page=attackerpageid

PoC Image:



PoC Video

Regards,
Nir

1 comments:

Prakhar Prasad said...

And Another classic bug by Nir :)

Great Job !

Post a Comment