November 27, 2018

XSS on Facebook’s acquisition Oculus CDN

Security Research, Writeup Tags: , ,

This issue is very similar to my previous report.
I thought, I would check same issue exist on any other acquisition by “Facebook”.

Luckily same issue was present on "oculuscdn.com". Even without Interchanging any sub domains.

Proof of concept

There is an endpoint allowed developers to upload application assets in their Oculus account.. All assets are stored on "oculuscdn.com".

Request

POST /upload_image/ HTTP/1.1
Host: graph.oculus.com

multipart/form-data

Response Contain a Image "ID", Image "Handle" and Image "URL".

Response

HTTP/1.1 200 OK

{
“id”: “1234567890012345”,
“handle”: “HANDLE_TO_THE_IMAGE”,
“uri”: “https://scontent.oculuscdn.com/v/t64.5771-25/12410200_1905973632996555_3168227744525844480_n.png?_nc_cat=0&oh=6163326b2eb5e87c16c6949f1e734611&oe=5AD840C8”
}

  • It was much easier than before, Just append a malicious payload to the Image.
  • Grab the Image URL from the response.
  • Remove the "/v/" parameter from the URL and modify the file extension. (".jpg" to ".html")

So, our final URL will be,

https://scontent.oculuscdn.com/t64.5771-25/12410200_1905973632996555_3168227744525844480_n.html

Impact:
This could have allowed an attacker to run arbitrary JS on Oculus CDN. This wouldn’t have allowed access to the user’s cookies/session due to the sandboxed domain, but could have been used in phishing/as a Linkshim bypass.

Timeline:

  • 19 Mar, 2018: Initial Report Sent.
  • 22 Mar, 2018: Asked More Details.
  • 22 Mar, 2018: More Payloads, Clarification Sent.
  • 23 Mar, 2018: Acknowledgment of Report.
  • 25 May, 2018: Issue Fixed.
  • 1 Jun, 2018: $1500 Bounty Awarded by Facebook.

Similar Bugs: