This bug could allow a malicious actor to takeover Facebook/Meta accounts if the user decided to play a Canvas game. The new Canvas on Comet is using Compat to display dialogs( eg OAuth dialogs ) in separate iframes, the process of displaying a dialog is to first receive a message of the type of the dialog ( like oauth ) and then create an iframe hosting apps.facebook.com/compat, then that iframe would communicate with the parent window via cross window messaging and then try to setup a new communication channel by sending a new MessageChannel port ( CometCompatBroker handles that in the pare ..read more

This bug could allow a malicious actor to takeover Facebook ( and Meta ) accounts after tricking the user to play an Instant Game. This bug happens since the “goURIOnWindow” Module which is widely used in Meta platforms fails to verify the scheme of the supplied URL which means we can supply a javascript URI scheme and achieve DOM-XSS. Details The function inside goURIOnWindow module has this code __d("goURIOnWindow", ["ConstUriUtils", "FBLogger", "err"], (function(a, b, c, d, e, f, g) { "use strict"; function a(a, b) { var e = typeof b === "string" ? d("ConstUriUtils").getUri ..read more

A malicious actor could steal a first-party access token of the Oculus application which he could use to access the Facebook/Oculus accounts. This was possible because the Oculus application in Facebook, which was used to login to Oculus using Facebook accounts has auth.oculus.com/login/ endpoint as a valid redirect_uri. However, Oculus has switched to using Meta Accounts for login. This means that upon visiting auth.oculus.com/login/, the endpoint would redirect to auth.meta.com/oidc/ for login using Meta Accounts and then come back to the auth.oculus.com. We can choose in www.facebook.com ..read more

Description This bug could allow a malicious actor to takeover a Facebook account after stealing a Gmail OAuth id_token/code used to login to Facebook. This happened due to multiple bugs that were chained. Main ones were an intended-by-design XSS in a Facebook sandbox domain and a bug that caused the sharing of sensitive data with this sandbox domain. Details The exploitation of the bugs was developed to only target Facebook users who have signed-up using a Gmail account which has an OAuth Flow that Facebook could use to log them in to Facebook using their account. It was possible to target ..read more

Description This bug could allow an attacker to force a user in Oversightboard.com who visited his website, to make certain requests which would allow the deleting, editing or creating of data. This is possible because the website www.oversightboard.com  doesn’t implement any security measurements like special token or headers to prevent CSRF attacks. The attacker would first exploit a Login CSRF bug which would force a Facebook or Instagram logged-in user to login in the www.oversightboard.com and then exploit the CSRF bug to make different actions. Details The a ..read more

Description This bug allows an attacker to manipulate the callback endpoint that would receive the Oculus access token used by third-party websites that chose to use the Oculus “Account Linking” feature which enables an Organisation to link a certain Oculus account with his/her website account. This would lead to account takeover if the attacker could chain this bug with another one in the receiving website (open redirect ) to leak the token to his website. Reproduction Steps 1) I’ll reproduce this behaviour against the Oculus Forums ( forums.oculusvr.com ) however any Organization is affected ..read more

Description This bug could allow an attacker to identify if a phone number is linked to a Facebook user account and if so what’s the id of the user. While adding a phone number in m.facebook.com to the attacker Facebook account, the endpoint m.facebook.com/phoneacquire/ would return the current owner of the phone number despite the privacy settings set by the owner. Reproduction Steps 1) From the attacker account, go to https://m.facebook.com/ntdelegatescreen/?params={“saved”:true}&path=/contacts/management/ 2) Add a new new phone number that you need to look up if it’s link ..read more

Summary After publishing the write-ups about the bugs i previously found in Facebook Games Platform ( Canvas ), i thought about taking a more in depth look into the code and changes made to it after fixes as sometimes a fix of a bug can introduce another one. In this blog post, i’ll write about 3 more bugs found which lead to Facebook Account Takeover. More secure Facebook Canvas : Tale of $126k worth of bugs that lead to Facebook Account Takeovers Bug 1: Race Condition Bug Llast time i explained in depth how some parts of the code works and actually recommended you to take a look at the res ..read more

Description These bugs could allow malicious actors who owns Android Applications installed in the victim device alongside Facebook owned Android Applications ( Workplace, Facebook, Messenger .. ) to steal a first-party access token and use it to takeover the user Facebook/Workplace account. Details First of all, i’d like to point out how these attacks are carried in Android. A malicious Android application would first register/add a deep link with a URI scheme, Then we force the Facebook/Workplace application to go through the OAuth flow and instead of redirecting to a website with the access ..read more

Summery Facebook allowed online games owners to host their games/applications in apps.facebook.com for many years now. The idea and technology behind it was that the game ( Flash or HTML5 based) would be hosted in the owner website and later the website page hosting it should be shown to the Facebook user in apps.facebook.com inside a controlled iframe. Since the game is not hosted in Facebook and for best user experience like keeping score and profile data, Facebook had to establish a communication channel with the game owner to verify the identity of the Facebook user for example. This was e ..read more