Author Topic: Facebook fix Critical XSS Bug That Led to Total Account Compromise  (Read 168 times)

0 Members and 1 Guest are viewing this topic.

Offline newspostng

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 425
    • View Profile

British security researcher Jack Whitton has identified a critical XSS (cross-site scripting) vulnerability on Facebook that could be leveraged via malicious PNG images and grant an attacker access to someone's account.

Mr. Whitton discovered that he could use steganography to craft a malicious PNG image which would hold the source code of an HTML file.

During the upload process, he managed to trick Facebook servers into accepting the initial upload as a PNG file, but later save this PNG (on their image storage CDN servers) as an HTML document.

But this HTML file, saved among images, on Facebook CDN server wasn't really that useful to begin with since there was no data for an attacker to steal and exploit. So he had to find a way to load this HTML file on Facebook's main website.

The bug allowed total compromise of someone's Facebook account

The researcher's task wasn't a simple one since he had to go around various security measures put in place by Facebook to protect its services from exactly these types of attacks. Eventually, Mr. Whitton managed to avoid Facebook's LinkShim malicious link shield,  HTTPOnly cookie settings, and X-Frame-Options headers.

In the end, he found a way to upload a malicious image on Facebook's CDN, which would be loaded via an iframe on Facebooks subdomain.

This granted him enough access to interact with the site's main cookies, where each user's identity token is stored to validate their identity.

Since this token can be used to imitate a Facebook user's logged in session, attackers using Mr. Whitton's XSS bug, together with other CSRF (cross-site request forgery) methods would have been able to retrieve a person's account details, post status updates, or do about anything a normal Facebook user can do.


Facebook Disabled Page Scam requesting users Credit Card and PayPal data

Started by newspostng

Replies: 0
Views: 232
Last post January 07, 2016, 10:33:17 AM
by newspostng
Facebook Boss Zuckerberg reject criticism that his site Fake News affect US Poll

Started by internet police

Replies: 0
Views: 192
Last post November 16, 2016, 07:20:05 AM
by internet police
Facebook posted surprisingly strong profit and revenue growth in Latest Update

Started by legendguru

Replies: 0
Views: 168
Last post November 05, 2015, 11:18:14 AM
by legendguru
Isis made direct threats against Facebook founder Mark Zuckerberg and Twitter

Started by internet police

Replies: 0
Views: 210
Last post February 25, 2016, 06:32:16 AM
by internet police
Facebook bans users from posting Scunthorpe , enables profanity filter feature

Started by admin

Replies: 0
Views: 219
Last post April 06, 2016, 01:26:40 AM
by admin