Friday, October 17, 2014

Facebook BugBounty - Facebook & Instagram CDN bug


This post will demonstrate a bug in Facebook & Instagram CDN which will lead to uploading any content in their web servers by changing their amazon aws s3 bucket name.
As a review to the past, On 26.07.2014 I reported a bug(Link) to Facebook and they gave me $1500 bounty, The below context is the report that I have sent to Facebook, after reviewing my report they promised me $6500 and they also sent this message to me:

This is a very cool, clever find. It's also interesting that it ended up affecting both Instagram and Facebook due to shared code around CDNs. After reviewing the issues you have reported, we have decided to award you a bounty of $6500 USD!

I'd like to thank the Facebook security team.

Summary:
I have found that there is a proxy inside this script(http://photos-g.ak.instagram.com/hphotos-ak-xaf1/outbound-distilleryimage00/t0.0-17/OBPTH/saman_fatahpour.html) that forwards the requests to amazonaws s3 servers. Through my researches I found that this script is vulnerable in the cases that I will say, I registered this bucket in Amazonaws s3: distilleryimage00, so I got the permission to upload any content to Facebook/instagram servers.
Thousands of these buckets can be registered and the script is vulnerable against this kind of attack.
These two links are equal and the proxy script on Facebook/instagram servers requests the Link1 to amazonaws:
Link1: distilleryimage00.s3.amazonaws.com/saman_fatahpour.html
Link2: http://photos-g.ak.instagram.com/hphotos-ak-xaf1/outbound-distilleryimage00/t0.0-17/OBPTH/saman_fatahpour.html

I’ve found a bug in facebook and instagram servers through which I can upload any content in facebook and instagram servers, by using this bug I found other bugs and other vulnerabilities such as:
XSS – bypass Facebook linkshim – phishing(malicious instagram/Facebook login page) – open redirection

Bug1:

I have found that these series of links are vulnerable against changing the amazon aws bucket name in some cases, so please first check these links for proof of concept:
Case 1:
distilleryimage0[a series o zeros]
Continues by zero
distilleryimage00…
Case 2:
distilleryimage0.[a series of numbers between 0 and 9]...
Case 3:
distilleryimage-.0[a series of zeros]


Bug2:

XSS for instagram.com or other domains related to this script:
This link shows instagram.com cookies, tested in IE10 in windows8. Then it is possible to send the cookies to another server using jsonp:
Also check the attached video for this bug, test image for my instagram account:


Bug3-1:

Bypass Facebook linkshim and open redirection by using trusted servers like fbcdn.net, as I researched I found that Facebook linkshim is vulnerable against external links of fbcdn.net. The server trusts these links and as I have the access to fbcdn.net to upload any content or sending redirect headers so I can redirect the link to any server again. Although I found other vulnerabilities in here:
Facebook consider this link as a malicious content, I will show you how I can bypass the Facebook linkshim and spread the link in my Facebook wall or using other vulnerabilities in Facebook to redirect any user to this link:

The first bug in here is when you post to your wall this option exists:
Add Feeling or Activity
Following the steps to add a feeling or an activity by changing the rd parameter we reach to this address:
If we select any item of feeling or activity at the next generated link all the items directly go to facehack.com through fbcdn.net.
This link for feeling is the final link that if we present to any user bypasses the Facebook linkshim and directly goes to the malicious website:
Finally we reach to here:
These parameters even can being forwarded to another server through this trick.


Bug3-2:

This bug is similar to bug 3-1 and bypasses the Facebook linkshim, both of buttons (continue and undo) redirect the user to the malicious website.


bug3-3:

This bug is similar to bug 3-1 and bypasses the Facebook linkshim, cancel button redirect the user to the malicious website.


bug3-4:

This bug is similar to bug 3-1 and bypasses the Facebook linkshim in Facebook like and comment plugins.
Comments link redirect the user to the malicious website:


If user share the content from here, the linkshim is bypassed after sharing and the shared link directly goes to malicious website:



bug3-5:

if user share the below link from facebook wall, linkshim is not added to the url and the link directly goes to the malicious website:


bug4:

Fake login page for instagram or facebook or other related services by trust to the domain name:



In all the bugs and vulnerable scripts that I found I can upload any contents(html/swf/exe/js/…) in whole the servers I mentioned above and I can bypass the linkshim to share and spread those contents through Facebook or instagram. These bugs are dangerous and hackers/attackers can easily write worms/exploits to spread malicious contents or steal the cookies, sessions, secure information or redirect anyone to any address. Please also watch the video that I will attach inside to my report.

Rewards:
 
Facebook WhiteHat of 2014
a Cash Reward of $6500
 
Timeline

Oct 1, 2014 12:22pm – Initial report sent
Oct 1, 2014 4:57pm – Acknowledgment of issue by Facebook
Oct 1, 2014 6:35pm – Request for clarification from Facebook
Oct 1, 2014 6:51pm – Clarification sent
Oct 3, 2014 12:31pm – Notification of permanent fix by Facebook
Oct 3, 2014 12:41pm – Confirmation of permanent fix sent
Oct 3, 2014 5:00pm – Bounty awarded

No comments:

Post a Comment