Facebook has awarded a security researcher $20,000 for discovering a cross-site scripting (XSS) vulnerability in the Facebook Login SDK, which is used by developers to add a “Continue with Facebook” button to a page as an authentication method. Exploitation could allow threat actors to hijack accounts.
Security researcher Vinoth Kumar identified a Document Object Model-based (DOM) XSS flaw in the window.postMessage() method of the platform’s code. This method is supposed to enable secure cross-origin communication between Windows objects.
Kumar said he discovered the flaw when he went digging for client-side vulnerabilities—more specifically, XSSI, JSONP and postMessage issues, according to a recent blog post.
However, many of these flaws proved difficult to find, so he narrowed his focus to postMessage vulnerabilities, “as this is mostly ignored by security researchers, but it’s very easy to debug and no need to bypass firewalls,” he wrote in the post.
Kumar also created a Chrome extension to view/log cross-window communication happening on the page to make his search easier, he said.
He found that the SDK was creating a proxy iframe v6.0/plugins/login_button.php for cross-domain communication, while the proxy frame renders the “Continue with Facebook” button.
Kumar outlined two ways to exploit the vulnerability. One is by opening a pop-up window, and the other is by opening an iframe — and then communicating with either. He provided code samples for both of these exploits, and posted a YouTube video proof of concept. The result of either of the attacks is that an attacker can hijack and take over someone’s account.
Kumar initially notified Facebook of the vulnerability on April 17. The company three days later pushed out a fix for it that adds a facebook.com regex domain and schema check in the payload URL parameter, he said.
On April 29, Facebook confirmed that the bug was fixed and paid Kumar his bug bounty on May 1.
The highest bounty that Facebook has paid to date has been $50,000, to a researcher who identified a bug in Facebook’s developer subscription mechanism that could allow for a misuse in notifications on certain types of user activity.
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.