Researcher awarded five-figure sum for ‘easy to exploit’ bug
A logged-in user would fall prey to an attack exploiting the critical flaw in Facebook’s payments redirect page by visiting, then clicking on, an attacker-controlled website.
This would trigger the opening of a new tab or popup containing a malicious payload, which then exfiltrates a first-party access_token – handing the attacker control of their account.
Sammouda found that he could send cross-origin messages from facebook.com via postMessage to the opener window.
By chaining this flaw to a script that insecurely constructed and submitted a form based on data received in messages via an Eventlistener, Sammouda achieved XSS and a generous financial reward.
The researcher fashioned the exploit during a hacking competition at BountyCon2020, a bug hunting event held recently by Facebook and Google.
Sammouda deduced that postMessage was intended for exclusive use by Facebook employees because the internal .intern.facebook.com domain was set as targetOrigin.
However, targeting the vulnerable endpoint with .alpha.facebook.com returned this domain as targetOrigin.
This prompted Sammouda to look for pages containing an Eventlistener that only accepted facebook.com subdomains in the message origin – “a big hint that the data received in the message would be used to do something serious”.
When accessing canvas apps, Sammouda noticed that the apps.facebook.com domain loaded ‘https://www.facebook.com/platform/page_proxy/?version=X’ within an iframe then sent messages to it via postMessage (a finding that previously surfaced a serious bug in Facebook’s OAuth framework).
“The page_proxy page contained code that sent a message with frameName via postMessage to any origin… and setup an Eventlistener” that paved the way for XSS, as further explained in the blog post.
“Choosing [the] our.alpha.facebook.com domain would help us to complete the second stage of the attack since postMessage in our.alpha.facebook.com/platform/page_proxy/ would only send messages to http://our.alpha.facebook.com.”
The script inside the page_proxy domain “also would only accept messages from *.facebook.com domains as origin and for that the attack is successful. If it was accepting any origin, using http://our.alpha.facebook.com/platform/page_proxy/ won't be necessary since we can use our own website to send messages using postMessage.”
The researcher added: “Technically speaking, I think this bug isn’t hard to exploit. The hard part however was finding the second part,” related to the message Eventlistener.
Fix and timeline
The flaw was uncovered on October 10, the second and final day of BountyCon2020.
Facebook issued a fix on October 28 after excising postMessage from payment redirects and configuring appTabUrl to be checked when it starts with https[ /^https:/.test(a.data.params.appTabUrl) ].
Sammouda’s bumper payout eclipses the $20,000 earned by researcher Vinoth Kumar in May for uncovering a DOM-based XSS vulnerability in the ‘Login with Facebook’ button, and the $5,000 awarded to Enguerran Gillier for finding the same type of flaw in Gmail in 2018.