Facebook patched flaw within 9hours - XML Cross Domain Vulnerability

Editorial_Staff_Team's picture

Facebook patched flaw within 9hours - XML Cross Domain

On March 25, 2014, Facebook announced that it had agreed to buy Oculus VR for $400 million in cash, $1.6 billion in Facebook stock, and an additional $300 million subject to Oculus VR meeting certain financial targets in a transaction expected to close in the second quarter of 2014.

Since 2012, Oculus website has been in the bug bounty scope for Facebook Bug Bounty at facebook.com/whitehat. The security researcher, Paulos Yibelo discovered a sever flaw in the developers portal of the website (developers.oculus.com), the site was using incorrectly configured crossdomain file that could allow cross domain reads. In a less technical term, that means the ability to read the contents of any HTML file using the victim’s sessions by a simple CSRF exploit.

This is considered critical as this can be used to issue actions, read messages, read antiCSRF tokens… basically anything that is good. The technical blog article is out at BLOGPOST URL. Facebook Fixed the bug after ~1Hours of their initial reply, timeline follows as

Jan 21, 2015 6:59am - Initial Report
Jan 27, 2015 9:09am - Facebook Initial Confirmation
Jan 27, 2015 6:55pm - Fix & Bounty!

The great about flash is, despite the file Mime, or format say flash.jpg, when we embed it as flash, it will act like flash despire its content/mime type.  

The exploit Scenario follows as:

1. Create a malicious flash.swf that does malicious action, like read antiCSRF tokens or   messages.
2. Change the extension of flash.swf to flash.jpg
3. Navigate to support.oculus.com, create a ticket and upload our malicious flash.jpg file as a supporting image to the support team
4. In our malicious domain (say attacker.com) host,  
 
<object type="application/x-shockwave-flash" data="https://support.oculus.com/attachments/token/APToMFwKw6O45WRIS5lf1HTP7/f..." width="1" height="1">
</object>

5. Now we navigate our victim to attacker.com and as soon as the flash files runs, Boom! We get everything we need. 

 

Reference(s):

http://www.paulosyibelo.com/2015/01/facebooks-oculus-exploiting.html

 

Rate this article: 
Average: 5 (1 vote)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.