XSS on Facebook’s acquisition Oculus CDN Server

I would suggest you first to read the previous post here. How I bypassed Facebook CDN content’s signature protection. Oculus acquired by Facebook and Oculus CDN Server is also in the scope of the Facebook Bug Bounty Program. The same bug was present on “oculuscdn.com”.

On “oculuscdn.com” the bug was very simple and straightforward. Just removing the “V” parameter which breaks the signature validation and the response contains original data. There was not even need to interchange between existing CNAME that points to oculus.xx.fbcdn.net.

Proof of concept

1. Upload image from any upload endpoint within oculus.com.
2. Retrieve the image file URL from the response.
3. Remove parameter “/V/” from the URL further will not be validated “oh” and “oe“.

https://scontent.oculuscdn.com/v/t64.5771-25/12401200_1904973622996515_3168267743525841480_n.png?_nc_cat=0&oh=6163326b3eb5e79c16c6949f1e734611&oe=5AD840C8

to

https://scontent.oculuscdn.com/t64.5771-25/12401200_1904973622996515_3168267743525841480_n.html

Impact

This could have allowed an attacker to run arbitrary JS on Oculus CDN. This wouldn’t have allowed access to the user’s cookies/session due to the sandboxed domain, but could have been used in phishing/as a Linkshim bypass.

Similar Bugs:

• XSS on Facebook-Instagram CDN Server bypassing signature protection
• An XSS on Facebook via PNGs & Wonky Content Types
• Ability to upload HTML via SRT caption files for Facebook Videos.
• XSS in Facebook CDN through AR Studio Effects.

Timeline

• 19 Mar, 2018 – Initial Report Sent.
• 23 Mar, 2018 – Acknowledgment of Report.
• 25 May, 2018 – Issue Fixed.
• 01 June, 2018 – Bounty Awarded by Facebook.