November 27, 2018

XSS on Facebook-Instagram CDN Server bypassing signature protection.

Security Research, Writeup Tags: , ,

Facebook and Instagram all photos/videos are stored on their CDN Server "*.fbcdn.net" and "*.cdninstagram.com" and they served via various sub-domains.
Those all of the photos/videos on CDN Server contain a hash in the URL (various parameters 'oh' and 'oe' etc), which causes an error to be thrown if we modify the file extension.(eg. ".jpg" to ".html")

First thing came into my mind that, Why I shouldn’t clear up unnecessary parameters from the URL and make it so clear? Then it will be very straightforward:

“https://scontent.xx.fbcdn.net/12494762_1700832180174667_9131300789175210564_n.jpg”

Respone was: “Access Denied”.

After a lot digging around with that, I was able to bypass signature on any Image or Video. Even those links which are “expired”. That mean I’ve also access to all of the CDN content data which are expire to an end user.

Vulnerability Discovery

There is a parameter in first place "/v/" for the reason to verify the appropriate hashes in URL which are to be accessible or not.
But removing "/v/" parameter will still return an error: “Access Denied”.
So, I was trying to think of ways to get it on Cross Domain. Such as,

instagram.fpnq2-1.fna.fbcdn.net. 3599 IN CNAME scontent.xx.fbcdn.net.

Boom!

There was no reason to verify it on cross-origin that two sub-domain had not any connection between them but the same parent domain/server.
I was able to browse any raw Image/Video/SRT files by Interchanging a sub domains. 😀
That mean, It’s clear out that we can even modify extension to the any one. Such as ".html/.svg" even ".php" too. (the PHP shell obviously won’t execute, but it demonstrates that we can browse though) It is often possible to uploaded files that can be interpreted as potentially different filetypes.

Proof of concept

There are still 100+ vulnerable endpoints exist which are limited to checking for file contents upon uploads. So, Append the malicious payload into Image/SRT file and then upload it on Facebook.
So, our final URL will be,

https://instagram.fpnq2-1.fna.fbcdn.net/v/t51.2885-15/12494762_1700832180174667_9131300789175210564_n.jpg?_nc_cat=0&oh=cb7024e12c863937b69c3d6c15589697&oe=5B31E89F

to

https://scontent.xx.fbcdn.net/t51.2885-15/12494762_1700832180174667_9131300789175210564_n.html


XSS will be trigger.

Facebook didn’t consider severity of the issue against “Signature” bypass or any other “Data Exposed”. Since, It’s “Sandbox Domain” and “Data” serves as “Public” content. (Accessing photos via raw image URLs from our CDN (Content Delivery Network) is out of scope. more detailed explanation.)

Impact:
This could have allowed an attacker to run arbitrary JS on Facebook CDN. This wouldn’t have allowed access to the user’s cookies/session due to the sandboxed domain, but could have been used in phishing/as a Linkshim bypass.

Timeline:

  • 8 Mar, 2018: Initial Report Sent.
  • 10 Mar, 2018: Acknowledgment of Report.
  • 23 Mar, 2018: Issue Fixed.
  • 28 Mar, 2018: $1500 Bounty Awarded by Facebook.

Similar Bugs: