[XSLeaks] Tracking User with Page Admin/Editor/Moderator roles on Third Party Website
I was reading this blog about XSLeaks issue in facebook which using window.length to return a number of frames inside the document and use it to extract data from facebook user who visit the Third Party website. So, i start to find the same issue in facebook and i found the same thing in https://web.facebook.com/[page_username]/inbox . You can check if the endpoint has the same issue by typing frames.length in the browser console, in my case it return 3 and This endpoint is only accessible by user which has admin/editor/moderator role. So, if user with no role or had different role besides admin, editor and moderator, it will display a 404 page and the 404 page has 0 frames.length. The reason why the frames.length return a value of 3 is because my page mailbox is not empty and will return 1 if the mailbox is empty (and your a page admin). Using this lovely behaviour i can track if the page admin A is visiting my website. So here is the javascript : <script> page = "Your Pa