This post will demonstrate a bug in Facebook & Instagram
CDN which will lead to uploading any content in their web servers by changing
their amazon aws s3 bucket name.
As a review to the past, On 26.07.2014 I reported a bug(Link) to
Facebook and they gave me $1500 bounty, The below
context is the report that I have sent to Facebook, after reviewing my report
they promised me $6500 and they also sent this message to me:
This is a very cool, clever find. It's also interesting that
it ended up affecting both Instagram and Facebook due to shared code around
CDNs. After reviewing the issues you have reported, we have decided to award
you a bounty of $6500 USD!
I'd like to thank
the Facebook security team.
Summary:
I have found that there is a proxy inside this script(http://photos-g.ak.instagram.com/hphotos-ak-xaf1/outbound-distilleryimage00/t0.0-17/OBPTH/saman_fatahpour.html)
that forwards the requests to amazonaws s3 servers. Through my researches I
found that this script is vulnerable in the cases that I will say, I registered
this bucket in Amazonaws s3: distilleryimage00, so I got the permission to
upload any content to Facebook/instagram servers.
Thousands of these buckets can be registered and the script is vulnerable against this kind of attack.
Thousands of these buckets can be registered and the script is vulnerable against this kind of attack.
These two links are equal and the proxy script on Facebook/instagram
servers requests the Link1 to amazonaws:
Link1: distilleryimage00.s3.amazonaws.com/saman_fatahpour.html
Link2: http://photos-g.ak.instagram.com/hphotos-ak-xaf1/outbound-distilleryimage00/t0.0-17/OBPTH/saman_fatahpour.html
Link1: distilleryimage00.s3.amazonaws.com/saman_fatahpour.html
Link2: http://photos-g.ak.instagram.com/hphotos-ak-xaf1/outbound-distilleryimage00/t0.0-17/OBPTH/saman_fatahpour.html
I’ve found a bug in facebook and instagram servers through which I can upload any content in facebook and instagram servers, by
using this bug I found other bugs and other vulnerabilities such as:
XSS – bypass Facebook linkshim – phishing(malicious
instagram/Facebook login page) – open redirection
Bug1:
I have found that these series of links are vulnerable
against changing the amazon aws bucket name in some cases, so please first
check these links for proof of concept:
Vulnerable cases:
Case 1:
distilleryimage0[a series o zeros]
Continues by zero
distilleryimage00…
|
Case 2:
distilleryimage0.[a series of numbers between 0 and 9]...
|
Case 3:
distilleryimage-.0[a series of zeros]
|
Bug2:
XSS for instagram.com or other domains related to this
script:
This link shows instagram.com cookies, tested in IE10 in
windows8. Then it is possible to send the cookies to another server using
jsonp:
Also check the attached video for this bug, test image for
my instagram account:
Bug3-1:
Bypass Facebook linkshim and open redirection by using trusted
servers like fbcdn.net, as I researched I found that Facebook linkshim is
vulnerable against external links of fbcdn.net. The server trusts these links
and as I have the access to fbcdn.net to upload any content or sending redirect
headers so I can redirect the link to any server again. Although I found other
vulnerabilities in here:
Facebook consider this link as a malicious content, I will
show you how I can bypass the Facebook linkshim and spread the link in my Facebook
wall or using other vulnerabilities in Facebook to redirect any user to this
link:
The first bug in here is when you post to your wall this
option exists:
Following the steps to add a feeling or an activity by
changing the rd parameter we reach to this address:
If we select any item of feeling or activity at the next
generated link all the items directly go to facehack.com through fbcdn.net.
This link for feeling is the final link that if we present
to any user bypasses the Facebook linkshim and directly goes to the malicious
website:
Finally we reach to here:
These parameters even can being forwarded to another server
through this trick.
Bug3-2:
This bug is similar to bug 3-1 and bypasses the Facebook linkshim,
both of buttons (continue and undo) redirect the user to the malicious website.
bug3-3:
This bug is similar to bug 3-1 and bypasses the Facebook linkshim,
cancel button redirect the user to the malicious website.
bug3-4:
This bug is similar to bug 3-1 and bypasses the Facebook
linkshim in Facebook like and comment plugins.
Comments link redirect the user to the malicious website:
If user share the content from here, the linkshim is
bypassed after sharing and the shared link directly goes to malicious website:
bug3-5:
if user share the below link from facebook wall, linkshim is
not added to the url and the link directly goes to the malicious website:
bug4:
Fake login page for instagram or facebook or other related
services by trust to the domain name:
In all the bugs and vulnerable scripts that I found I can
upload any contents(html/swf/exe/js/…) in whole the servers I mentioned above
and I can bypass the linkshim to share and spread those contents through Facebook
or instagram. These bugs are dangerous and hackers/attackers can easily write
worms/exploits to spread malicious contents or steal the cookies, sessions,
secure information or redirect anyone to any address. Please also watch the
video that I will attach inside to my report.
Rewards:
Timeline
Facebook WhiteHat of 2014
a Cash Reward of $6500
Oct 1, 2014 12:22pm – Initial report sent
Oct 1, 2014 4:57pm – Acknowledgment of issue by Facebook
Oct 1, 2014 6:35pm – Request for clarification from Facebook
Oct 1, 2014 6:51pm – Clarification sent
Oct 3, 2014 12:31pm – Notification of permanent fix by
Facebook
Oct 3, 2014 12:41pm – Confirmation of permanent fix sent
Oct 3, 2014 5:00pm – Bounty awarded