Facebook and two dots leak
In this post, I’ll explain to you an interesting bug in Facebook, which made it possible to steal user’s name and email as well as an access token that allowed to read person’s friend list. This is a bug I personally consider my favourite bug bounty finding, you’ll soon find out why :) It was discovered by me and @evil_xorb.
With the link below, you can register to FriendFeed using your Facebook data:
https://www.facebook.com/plugins/registration.php?client_id=2795223269&fields=name,email&redirect_uri=https://friendfeed.com
After clicking the “Zarejestruj się” (Register) button, a POST request to redirect_uri
is issued that contains user’s data visible in the view (name and email) and the access token. The form is vulnerable to Clickjacking but this is kinda by definition since, as Facebook explains:
The registration plugin is an iframe that websites can add with just one line of code
You can have a little bit fun with the Clickjacking here: http://jsfiddle.net/Lg657ypz/show/.
What was, however, more interesting to me was the redirect_uri
parameter. Only URLs within friendfeed.com domain were allowed, so you couldn’t just write redirect_uri=http://evil-domain.com/
to get the userdata and tokens. So, http://any_subdomain.friendfeed.com worked…
While https://other.domain.com did not (empty page):
Well, but every filtering function could possibly contain some issues, couldn’t it? I’ve fiddled with redirect_uri
a little bit and discovered an unusual behaviour. It turned out that when a hostname contains a sequence of two or more dots, the URL is always accepted! For example, https://multiple.dots…com:
At first I thought it didn’t really give me anything as every browser would reject that URL anyway since it is not correct, right? Right?
Well, then another quirk came up. Google Chrome on OSX and Linux treats multiple dots in hostname as a single dot! If you don’t believe me, try to click this link if you’re on one of these platforms. You’ll see an error but the request is issued.
The youtube video below is a PoC that it worked and that I was able to redirect request to my own domain bentkowski.info (or bentkowski..info? ;)).
The bug has already been reported to Facebook and has been fixed pretty quickly. Lessons learnt? When testing some client side issues, check them not only on different browsers but also the same browsers on different OS-es ;)