A few months ago, I found an XSS on the iOS mobile Facebook app, and contacted facebook about the flaw via their white hat page, unfortunately for me, I wasn’t eligible for anything because the flaw had already been reported (guys, even t-shirt would have been fun). Since the iOS mobile app had to be updated, I decided to wait before writing a blog post about it, but a few days ago, there it was, a new, fresh, and faster mobile app ! So here is my blog post !
How to Become a White Hat on Facebook :
Test accounts are available and can be created on the fly via the white hat page. Only those accounts should be used to test vulnerabilities on Facebook.
How to Report a Vulnerability on Facebook :
There is a dedicated page for that too. Try to include as many detail as possible on the discovered flaw, and stay clear in the explanations. ! (even if sometimes it’s difficult). If the problem as never been discovered before you might be eligible for a bounty.
To qualify for a bounty, you must:
Adhere to our Responsible Disclosure Policy:
… give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research … Be the first person to responsibly disclose the bugReport a bug that could compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within Facebook’s infrastructure, such as:
Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF/XSRF) Broken Authentication (including Facebook OAuth bugs) Circumvention of our Platform/Privacy permission models Remote Code Execution Privilege Escalation Provisioning Errors Please use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners. Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)Our security team will assess each bug to determine if it qualifies.Rewards
Our minimum reward is $500 USD We will increase the reward for severe or creative bugs Only 1 bounty per security bug will be awardedExclusionsThe following bugs aren’t eligible for a bounty (and we don’t recommend testing for these):
Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name]) Security bugs in third-party websites that integrate with Facebook Denial of Service Vulnerabilities Spam or Social Engineering techniques
So, now, let’s have a look at the XSS discovered.
An Old XSS, Step by Step :
- You had to create a “note” via a computer
- Then simply write a tittle, and some simple html code or javascript and save the note :
- Once that part was done you could connect via the Facebook app on your iPhone and select that note
- You had to click on the edit button and simply re-write your Javascript code.
- Once Saved you could see your XSS in action
Post a Comment