Monday, November 12, 2012

Stored XSS on Facebook Pages Manager

Facebook Pages Manager is an iOS application that makes it easier for page admins to view insights, respond to the audience, comment on the pages, etc. There was a stored XSS vulnerability in the versions before 1.4, which was released in the middle of September.

The vulnerability was in the page title appearing in the popover when you selected the like, message, or notification button from the top menu. The following steps were taken to produce the XSS on my iPhone:

  1. I created a new Facebook Page on my web browser and set its title to "<img src=x onerror=alert(/XSSed/)>".
  2. I opened the page in the Facebook Pages Manager application on my iPhone.
  3. I selected the like button from the top menu.
  4. An alert showing "/XSSed/" was displayed in the application--the script was activated.
A malicious user only could have exploited this vulnerability on a page that did not have any likes, messages, or notifications because the unsanitized page title was embedded into the "***" part of "No new likes for ***".

I created a test user account and invited it to take on an admin role for the page. The test user account represented an unsuspecting victim. By clicking on just one button to accept the role, the test user gained permission to access the malicious page. I was able to confirm that the script was activated on that account as well.

This vulnerability was reported on August 11 and the fixed version was released on September 18 as part of Facebook's Security Bug Bounty Program.