Facebook paid $7500 to a security researcher that had discovered a flaw that hackers could have had exploited in order to access users’ Facebook accounts.
The critical cross-site scripting (XSS) vulnerability was found by Jack Whitton – a security consultant based in the UK. He promptly communicated the discovery to Facebook, whose engineers quickly reacted and patched the flaw in few hours. His heroic gesture was awarded $7500.
A flaw is less and less easier to spot, therefore, the rewards for bug bounty hunters are increasing greatly.
In the specifics, Whitton noticed that an uploaded advertising image could be interpreted as an HTML file by simply modifying its extension to HTML. Content type and a DNS issue were the two vectors of the account.
Following a technique that was previously explained in 2012, Whitton encoded a critical cross-site scripting (XSS) payload into the iDAT chunks contained in a PNG image. Unlike other types of data, such as Exif or iTXt data – that Facebook removes from JPEG and PNG images, the iDAT chunks stay within the image. Whitton then bypassed the Link Shim system and had to find a means to shift from the content delivery network (CDN) to a facebook.com domain.
What he found out was that the entries in the domain name system for photos.facebook.com were actually addressed to the CDN – a globally distributed network of proxy servers – making it possible to execute a payload by just navigating to the uploaded extension-modified HTML file on photos.facebook.com.
In his technical analysis, Whitton found out how Facebook plugins are specifically designed to be placed in an <iframe>, that is used to embed documents into an HTML file. With this trick, one could very easily steal a user’s Cross-site Request Forgery token as long as the victim clicks on a malicious link controlled by an attacker.
In this very case, Whitton explains that it’s quite an easy result to achieve because the URL is a legitimate and genuine facebook.com URL, not a suspicious domain. If the victim falls for it, he would click the link and then the script in the background could potentially access and control a user’s private messages or his posts etc. The script could also post a link to the victim’s account that could then start a chain reaction of the victim’s friends opening the link and so on.
Whilst the DSN issue was promptly addressed, Whitton noticed that the weakness related to the content type was still unpatched. Facebook later confirmed it solved this latter issue, as well.