Zero day XSS vulnerability in ‘Login with Facebook’: Hacking Facebook accounts

Vinoth Kumar, a ethical hacking specialist has revealed the presence of a cross-site scripting vulnerability (XSS) present in the “Log in with Facebook” button, which gives third-party websites the option to authenticate their users through their social media accounts. The report was rewarded with $20k USD.

Apparently, the flaw arose due to the erroneous implementation of the postMessage API. The window.psotMessage() method allows cross-origin communication between Window objects (between a web page and an embedded iframe, for example).

The hacking course expert considers this to be a technology that is very little addressed by security researchers, so he decided to analyze this implementation of Facebook. In addition, Enguerran Gillier, a cybersecurity specialist, discovered another virtually identical XSS vulnerability in Gmail, according to a recently revealed report.

Kumar began by examining third-party plugins for Facebook, looking for possible iframe security issues. The researcher found an effective path for his analysis by reviewing the Facebook login software development kit. The expert noted that there was no URL/schema validation when running JavaScript, generating a chance to deploy the XSS attack.

“If a payload is sent with url:’javascript:alert(document.domain)’ to the iframe and the user clicks the Continue with Facebook button, javascript: alert (document.domain) will run in the domain”, mentions the Kumar report.

According to experts in a hacking course, in case the failure is not corrected, a mechanism will be created for threat actors to take control of specific accounts. All they would have to do is trick third parties into interacting with a malicious link: “If someone visits a hacker-controlled website and clicks the Log in with Facebook button, the XSS vulnerability in the domain would be triggered with the target user’s name,” the report mentions.

Facebook confirmed the incident, noting that it was resolved by adding regular expressions to the domain and verifying the payload URL parameter. According to the International Institute of Cyber Security (IICS), the report was issued on April 17, while the flaw was resolved three days later. The reward was sent to the investigator on May 1. Facebook is expected to issue a report with additional details about this vulnerability shortly.