Thursday, 27 March 2014

Javascript injection on Facebook


[#] Title: Javascript injection on Facebook
[#] Status: Fixed
[#] Severity: Medium
[#] Author: Manjesh S
[#] Twitter: @Manjesh24


Description:

The bug was at Facebook badges and was a SELF stored injection also it was limited to only 10 characters.
I didnt found any XSS javascript which is within 10 characters and this was the main problem I was having.

When I send a request with just text : Manjesh
I was getting the output as : <div class="badge_holder bh_Manjesh"> 
This is it!! I was able to inject something on a DIV tag..
So lets checkout how I did it!!




Steps to Reproduce: 

  1. Go to https://www.facebook.com/badges/profile.php?creating 

  2. Click save and modify the POST request-
    the parameter "layout" is not filtering anything, so put the small javascript payload or any HTML payload

    For example: "><b>M</b>
  3. After submitting it , the script will be executed on the browser ;)








Even though I was not able to do XSS, I reported this as an XSS/self stored HTML injection and this was the reply from facebook:



So it was partially rejected , there is no scope for HTML injection and as I didnt had any proof to show XSS is possible..

So what can be done with just 10 chars injection ?? No XSS possible??

Finally I didnt found any xss stuffs within 10 chars but came up with a logical Idea :D

If I am able to execute <noscript> then I could hide all the badges created, but <noscript> didnt worked instead "><script> worked!!

So here is my logical report:

So lets assume USER-A account is hacked by USER-B

USER-B goes to https://www.facebook.com/badges/profile.php?creating
and checks email,mobile no etc..
and gets the link,
the link would be like :


 https://www.facebook.com/badge.php?id=USERID&bid=BADGEID&key=KEY&format=png&z=11
 
USER-B will be able to get the email,mobile no. etc.. with this link remotely.

So USER-A will recover this account with forgot password and USER-A
will change all his email,mobile no etc..

Now USER-B can get his changed email,mobile no with the link
 https://www.facebook.com/badge.php?id=USERID&bid=BADGEID&key=KEY&format=png&z=11

 
Yes this link will wont work if badge is deleted, but if we create a
badge by sending POST request as said with this payload :


 "><script>


will make it invisible to the USER-A, he will never get to know that
badge is leaking all his private data..


also USER-A wont be able to delete the badge as he wont be able to
know that there is a badge hidden even when he goes to https://www.facebook.com/badges/profile.php ..



 

This bug got accepted by facebook and it was fixed very quickly :D