In the name of Allah the beneficent the Merciful.
This is my first blog post on Bug Bounty POC.
It was a thursday morning as usual woke up at 5:30 AM.
After Fajr (Prayer) i opened my computer to look for the emails and then
got an email from facebook regarding a website which is submitted to register under free basics.
Free Basics platform - service submission updated
Then i clicked the url which i got in message
https://partners.facebook.com/fbs/onboarding/?submission_id=xxxxxxxxxxxxx
I was curious why facebook rejected my website submission so started pentesting in URL's field.
I clicked on edit the url and changed the url to a random url , but before clicking on Test i captured the simulator request in burpsuite.
I noticed that x-frame options are missing .
So , i quickly entered facebook.com in the url field and then captured the GET request.
GET / HTTP/1.1
Host: https-m-facebook-com.simulator.freebasics.com
After submitting the GET request i was shocked to see that freebasics simulator looks to be striping the x-frame header of facebook.com.
Then i created clickjacking test page and luckily facebook.com site was embeded into the frame .
As soon as i found this i quickly reported to facebook Security facebook.com/whitehat .
Here is the video POC link
Video POC
Video POC
https://www.youtube.com/watch?v=Q7BlHACEA64
After sometime i tried different websites like
Yahoo :
GET / HTTP/1.1
Host: https-yahoo-com.simulator.freebasics.com
Twitter :
GET / HTTP/1.1
Host: https-twitter-com.simulator.freebasics.com
Github :
GET / HTTP/1.1
Host: https-github-com.simulator.freebasics.com
Parse :
GET / HTTP/1.1
Host: https-parse-com.simulator.freebasics.com
Moves-app :
GET / HTTP/1.1
Host: https-accounts-moves--app-com.simulator.freebasics.com
Paypal :
GET / HTTP/1.1
Host: https-paypal-com.simulator.freebasics.com
Bugcrowd :
GET / HTTP/1.1
Host: https-bugcrowd-com.simulator.freebasics.com
Synack :
GET / HTTP/1.1
Host: https-synack-com.simulator.freebasics.com
And discovered that simulator was striping their x-frame options
so the contents of those pages were getting embedded into iframe .
Here is the VIDEO POC showing different sites getting clickjacked.
https://youtu.be/ptqQxFUZyZU
In the evening i got a message from facebook saying they can't reproduce.
So, i again tested and discovered that this bug exists in FireFox version 44.0.2 in Ubuntu OS.
And also to exploit this bug victim needs to authenticate to website through freebasics simulator which lowers the vulnerability impact.
Though the exploit is hard yet this bug simple bug would have Hacked
any site registered under freebasics.
Now after the bug is fixed , facebook.com is opted out of freebasics program
and they have put behind their simulator service for authentication creating i_org anti-csrf token , and also adjusted the clickjacking protection .
After the bug fixed is confirmed facebook Rewarded $500 USD
for my work.
I would like to Thanks Neal Poole of facebook security for assisting the bug
and clarifying my questions on the issue.
Though the bounty seems to be low but iam happy that i saved the community
from getting hacked .
Thanks for Reading
Jai Hind :)
Contact info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin : linkedin.com/in/mohd-haji-490960a0
Great job!
ReplyDeletethanks :)
DeleteLEGIT FULLZ & TOOLS STORE
DeleteHello to All !
We are offering all types of tools & Fullz on discounted price.
If you are in search of anything regarding fullz, tools, tutorials, Hack Pack, etc
Feel Free to contact
***CONTACT 24/7***
**Telegram > @leadsupplier
**ICQ > 752822040
**Skype > Peeterhacks
**Wicker me > peeterhacks
"SSN LEADS/FULLZ AVAILABLE"
"TOOLS & TUTORIALS AVAILABLE FOR HACKING, SPAMMING,
CARDING, CASHOUT, CLONING, SCRIPTING ETC"
**************************************
"Fresh Spammed SSN Fullz info included"
>>SSN FULLZ with complete info
>>CC With CVV (vbv & non vbv) Fullz USA
>>FULLZ FOR SBA, PUA & TAX RETURN FILLING
>>USA I.D Photos Front & Back
>>High Credit Score fullz (700+ Scores)
>>DL number, Employee Details, Bank Details Included
>>Complete Premium Info with Relative Info
***************************************
COMPLETE GUIDE FOR TUTORIALS & TOOLS
"SPAMMING" "HACKING" "CARDING" "CASH OUT"
"KALI LINUX" "BLOCKCHAIN BLUE PRINTS" "SCRIPTING"
"FRAUD BIBLE"
"TOOLS & TUTORIALS LIST"
=>Ethical Hacking Ebooks, Tools & Tutorials
=>Bitcoin Hacking
=>Kali Linux
=>Fraud Bible
=>RAT
=>Keylogger & Keystroke Logger
=>WhatsApp Hacking & Hacked Version of WhatsApp
=>Facebook & Google Hacking
=>Bitcoin Flasher
=>SQL Injector
=>Premium Logs (PayPal/Amazon/Coinbase/Netflix/FedEx/Banks)
=>Bitcoin Cracker
=>SMTP Linux Root
=>Shell Scripting
=>DUMPS with pins track 1 and 2 with & without pin
=>SMTP's, Safe Socks, Rdp's brute
=>PHP mailer
=>SMS Sender & Email Blaster
=>Cpanel
=>Server I.P's & Proxies
=>Viruses & VPN's
=>HQ Email Combo (Gmail, Yahoo, Hotmail, MSN, AOL, etc.)
*Serious buyers will always welcome
*Price will be reduce in bulk order
*Discount offers will give to serious buyers
*Hope we do a great business together
===>Contact 24/7<===
==>Telegram > @leadsupplier
==>ICQ > 752822040
==>Skype > Peeterhacks
==>Wicker me > peeterhacks
Great Brother
ReplyDeletethank you :)
DeleteMacha Allah, great job!
ReplyDeletethanks
DeleteTUTORIALS AVAILABLE FOR
ReplyDeleteSPAMMING
CARDING
CASHOUTS
MOBILE DEPOSITS
-->SPAMMING price == 200$
>What you need to start spam
-->CARDING price == 300$ (Includes All Carding)
How to use eBay Carding, Amazon Carding, Adidas Carding, BITCOIN CARDING, WALMART CARDING, WESTERN UNION CARDING
WORLD REMIT CARDING METHOD
>APPLE PAY & ANDROID TAP CASH
>BANK TRANSFER
-->DUMPS+PINS price == 85$
(How to use & create dumps with pins track 1 & 2)
>HOW TO CASHOUT DUMPS+PINS
>MOBILE DEPOSIT
>SAFE SOCKS5 (USA)
-->SMTP Linux Root
*--price ==150$--*
Also SELLING
>SERVER I.P's price == 200$ in bulk
>USA EMAILS with Passwords price ==150$ in bulk
>SSN Fullz with Driving license price == 2$ each
**Contact 24/7**
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040