Widget powered by WhatstheScore.com

Author Topic: Facebook fix Critical XSS Bug That Led to Total Account Compromise  (Read 153 times)

0 Members and 1 Guest are viewing this topic.

Offline newspostng

  • Global Moderator
  • Sr. Member
  • *****
  • Posts: 355
    • View Profile

British security researcher Jack Whitton has identified a critical XSS (cross-site scripting) vulnerability on Facebook that could be leveraged via malicious PNG images and grant an attacker access to someone's account.

Mr. Whitton discovered that he could use steganography to craft a malicious PNG image which would hold the source code of an HTML file.

During the upload process, he managed to trick Facebook servers into accepting the initial upload as a PNG file, but later save this PNG (on their image storage CDN servers) as an HTML document.

But this HTML file, saved among images, on Facebook CDN server wasn't really that useful to begin with since there was no data for an attacker to steal and exploit. So he had to find a way to load this HTML file on Facebook's main website.

The bug allowed total compromise of someone's Facebook account

The researcher's task wasn't a simple one since he had to go around various security measures put in place by Facebook to protect its services from exactly these types of attacks. Eventually, Mr. Whitton managed to avoid Facebook's LinkShim malicious link shield,  HTTPOnly cookie settings, and X-Frame-Options headers.

In the end, he found a way to upload a malicious image on Facebook's CDN, which would be loaded via an iframe on Facebooks photo.facebook.com subdomain.

This granted him enough access to interact with the site's main cookies, where each user's identity token is stored to validate their identity.

Since this token can be used to imitate a Facebook user's logged in session, attackers using Mr. Whitton's XSS bug, together with other CSRF (cross-site request forgery) methods would have been able to retrieve a person's account details, post status updates, or do about anything a normal Facebook user can do.


Facebook Disabled Page Scam requesting users Credit Card and PayPal data

Started by newspostng

Replies: 0
Views: 220
Last post January 07, 2016, 10:33:17 AM
by newspostng
Facebook posted surprisingly strong profit and revenue growth in Latest Update

Started by legendguru

Replies: 0
Views: 149
Last post November 05, 2015, 11:18:14 AM
by legendguru
Isis made direct threats against Facebook founder Mark Zuckerberg and Twitter

Started by internet police

Replies: 0
Views: 197
Last post February 25, 2016, 06:32:16 AM
by internet police
Facebook bans users from posting Scunthorpe , enables profanity filter feature

Started by admin

Replies: 0
Views: 202
Last post April 06, 2016, 01:26:40 AM
by admin
Google, Facebook & Twitter sues by Paris attack victim for spreading ‘propaganda

Started by yungcrux

Replies: 0
Views: 152
Last post June 16, 2016, 12:39:35 PM
by yungcrux