Facebook fix Critical XSS Bug That Led to Total Account Compromise

[newspostng]

BOOK INTERNATIONAL FLIGHTS TICKETS LOCAL FLIGHTS HOTELS BOOKINGS WORLDWIDE AND MORE AT CHEAPEST RATE EVER! CLICK HERE TO BOOK YOUR FLIGHT AND RECEIVE YOUR FLIGHT TICKET INSTANTLY

Loading...

British security researcher Jack Whitton has identified a critical XSS (cross-site scripting) vulnerability on Facebook that could be leveraged via malicious PNG images and grant an attacker access to someone's account.

Mr. Whitton discovered that he could use steganography to craft a malicious PNG image which would hold the source code of an HTML file.

During the upload process, he managed to trick Facebook servers into accepting the initial upload as a PNG file, but later save this PNG (on their image storage CDN servers) as an HTML document.

But this HTML file, saved among images, on Facebook CDN server wasn't really that useful to begin with since there was no data for an attacker to steal and exploit. So he had to find a way to load this HTML file on Facebook's main website.

The bug allowed total compromise of someone's Facebook account

The researcher's task wasn't a simple one since he had to go around various security measures put in place by Facebook to protect its services from exactly these types of attacks. Eventually, Mr. Whitton managed to avoid Facebook's LinkShim malicious link shield,  HTTPOnly cookie settings, and X-Frame-Options headers.

In the end, he found a way to upload a malicious image on Facebook's CDN, which would be loaded via an iframe on Facebooks photo.facebook.com subdomain.

This granted him enough access to interact with the site's main cookies, where each user's identity token is stored to validate their identity.

Since this token can be used to imitate a Facebook user's logged in session, attackers using Mr. Whitton's XSS bug, together with other CSRF (cross-site request forgery) methods would have been able to retrieve a person's account details, post status updates, or do about anything a normal Facebook user can do.