Facebook has awarded a security researcher $20,000 for discovering a cross-site scripting (XSS) vulnerability in the Facebook Login SDK, which is used by developers to add a “Continue with Facebook” button to a page as an authentication method. Exploitation could allow threat actors to hijack accounts.
Security researcher Vinoth Kumar identified a Document Object Model-based (DOM) XSS flaw in the window.postMessage() method of the platform’s code. This method is supposed to enable secure cross-origin communication between Windows objects.
Kumar said he discovered the flaw when he went digging for client-side vulnerabilities—more specifically, XSSI, JSONP and postMessage issues, according to a recent blog post.
However, many of these flaws proved difficult to find, so he narrowed his focus to postMessage vulnerabilities, “as this is mostly ignored by security researchers, but it’s very easy to debug and no need to bypass firewalls,” he wrote in the post.
Kumar also created a Chrome extension to view/log cross-window communication happening on the page to make his search easier, he said.
The researcher first began exploring Facebook’s third-party plug-ins on its developer site to try to find iframe issues. iframes are used to embed one document within another, current HTML document. He discovered an issue there in the Facebook Login SDK for JavaScript.
He found that the SDK was creating a proxy iframe v6.0/plugins/login_button.php for cross-domain communication, while the proxy frame renders the “Continue with Facebook” button.
“The interesting thing was the JavaScript SDK sends [a] payload to the proxy frame, which contains the button’s click URL,” he explained. So, when the user clicks the “Continue with Facebook” button, the URL from the postMessage payload executes in the proxy iframe, which leads to the execution of the JavaScript on Facebook.com.
However, “there’s no URL/schema validation in the JavaScript” to check that the URL request is coming from the legitimate source, he explained, thus opening the door for malicious hijacking.
“So if we send a payload with [the] URL ‘javascript:alert(document.domain)’ to the https://www.facebook.com/v6.0/plugins/login_button.php iframe and the user clicks the ‘Continue With Facebook’ button, javascript:alert(document.domain) would be executed on facebook.com domain,” Kumar explained in his post.
Kumar outlined two ways to exploit the vulnerability. One is by opening a pop-up window, and the other is by opening an iframe — and then communicating with either. He provided code samples for both of these exploits, and posted a YouTube video proof of concept. The result of either of the attacks is that an attacker can hijack and take over someone’s account.
Kumar initially notified Facebook of the vulnerability on April 17. The company three days later pushed out a fix for it that adds a facebook.com regex domain and schema check in the payload URL parameter, he said.
On April 29, Facebook confirmed that the bug was fixed and paid Kumar his bug bounty on May 1.
Facebook has had a bug-bounty program in place since 2011. According to the program’s guidelines, $20,000 is a significant sum of money to be paid for the identification of a vulnerability.
The highest bounty that Facebook has paid to date has been $50,000, to a researcher who identified a bug in Facebook’s developer subscription mechanism that could allow for a misuse in notifications on certain types of user activity.
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.
