Mr. Whitton discovered that he could use steganography to craft a malicious PNG image which would hold the source code of an HTML file.
During the upload process, he managed to trick Facebook servers into accepting the initial upload as a PNG file, but later save this PNG (on their image storage CDN servers) as an HTML document.
But this HTML file, saved among images, on Facebook CDN server wasn’t really that useful to begin with since there was no data for an attacker to steal and exploit. So he had to find a way to load this HTML file on Facebook’s main website.
The bug allowed total compromise of someone’s Facebook account
The researcher’s task wasn’t a simple one since he had to go around various security measures put in place by Facebook to protect its services from exactly these types of attacks. Eventually, Mr. Whitton managed to avoid Facebook’s LinkShim malicious link shield, HTTPOnly cookie settings, and X-Frame-Options headers.
In the end, he found a way to upload a malicious image on Facebook’s CDN, which would be loaded via an iframe on Facebooks photo.facebook.com subdomain.
This granted him enough access to interact with the site’s main cookies, where each user’s identity token is stored to validate their identity.
Since this token can be used to imitate a Facebook user’s logged in session, attackers using Mr. Whitton’s XSS bug, together with other CSRF (cross-site request forgery) methods would have been able to retrieve a person’s account details, post status updates, or do about anything a normal Facebook user can do.
Good guy Facebook!
“I actually found this mid-last year, but I’ve been waiting on the final patch to be done,” Mr. Whitton told Softpedia. “I reported it at ~6:50 PM 24/07/15, they confirmed it was an issue at 8:45 PM the same day, then pushed a fix at 12:50 AM on the 25th. So a turnaround of about 6 hours, which is fantastic (especially compared to other companies where people have waited up to 6 months for certain issues).”
Details of this exploit were only released recently, and Mr. Whitton provided an in-depth technical write-up of the entire exploit on his blog. His work didn’t go unnoticed either, Facebook awarding Mr. Whitton a $7,500 (€6,850) cash reward for his findings.
That’s not bad at all since Mr. Whitton has only spent 12 hours on researching the issue.
“For actually discovering that there was a potential bug, I’d say that it took around 2 – 3 hours of just ‘poking around’ different areas of Facebook.com,” Mr. Whitton told Softpedia. “But to actually exploit it, it was about 10 hours to get a working proof-of-concept that demonstrated the real impact.”
But don’t be fooled by his success. You won’t be able to pick up a pen-testing manual and make bags of money each day. This work requires a large amount of work and experience, something which Mr. Whitton has plenty of, being ranked second in the Facebook Whitehat Programme (bug bounty) for the past two years.
Another Samy MySpace worm disaster avoided
“Whilst it wasn’t labelled explicitly as being critical, I think the turn around time demonstrates the priority they assigned it,” Mr. Whitton explained about the bug’s severity. “With these sort of issues, if you were to send someone a link to the malicious image, then the script which the image loads could perform any action on that user’s Facebook account – post a new status, send a message, leak personal photos/messages.”
“It’s a ‘client-side’ issue, so you wouldn’t be able to gain access to Facebook’s servers for example, but they can cause a serious amount of damage, fast,” he also added.
“The worrying thing about XSS’s is that they can be ‘wormable’ – if one user clicks the link, then the script can post itself as a status on their account, which means their friends click the link, and so on. This was actually demonstrated quite a few years ago on MySpace,” Mr. Whitton explained, comparing it to the Samy (JS.Spacehero) XSS worm that ravaged about 1 million MySpace accounts in just 24 hours.
Taking into account the celebrity status that the Samy worm brought to Samy Kamkar, a regular presence on our Security News section, we think Mr. Whitton might have missed the Hollywood train by doing the right thing. We’re just beeing cheeky! Mr. Whitton did the right thing by reporting it to Facebook.
Proof-of-concept, getting a user’s CSRF token via Mr. Whitton’s XSS exploit