Saturday 30 April 2016

How I could have Hacked/Clickjacked all websites registered under Freebasics including Facebook ,Parse, Yahoo , Twitter, Paypal ,Synack,Bugcrowd,etc


In the name of Allah the beneficent the Merciful.


This is my first blog post on Bug Bounty POC.
It was a thursday morning as usual woke up at 5:30 AM.
After Fajr (Prayer) i opened my computer to  look for the emails and then
got an email from facebook regarding a website which is submitted to register under free basics.

Free Basics platform - service submission updated

Then i clicked the url which i got in message

https://partners.facebook.com/fbs/onboarding/?submission_id=xxxxxxxxxxxxx     

I was curious why facebook rejected my website submission so started pentesting in URL's field.

I clicked on edit the url and changed the url to a random url , but before clicking on Test i captured the simulator request in burpsuite.

I noticed that x-frame options are missing .
So , i quickly entered facebook.com in the url field and then captured  the GET request.

GET / HTTP/1.1
Host: https-m-facebook-com.simulator.freebasics.com

 After submitting the GET request i was shocked to see that freebasics simulator looks to be striping the x-frame header of facebook.com. 
Then i created clickjacking test page and luckily  facebook.com site was embeded into the frame .

As soon as i found this i quickly reported to facebook Security  facebook.com/whitehat .

Here is the  video POC link
Video POC 

https://www.youtube.com/watch?v=Q7BlHACEA64


After sometime i tried different websites  like

Yahoo :

GET / HTTP/1.1

Host: https-yahoo-com.simulator.freebasics.com

 

Twitter :

GET / HTTP/1.1

Host: https-twitter-com.simulator.freebasics.com



Github :

GET / HTTP/1.1

Host: https-github-com.simulator.freebasics.com


Parse :

GET / HTTP/1.1

Host: https-parse-com.simulator.freebasics.com


 Moves-app :

GET / HTTP/1.1

Host: https-accounts-moves--app-com.simulator.freebasics.com

 

 Paypal :

GET / HTTP/1.1

Host: https-paypal-com.simulator.freebasics.com


Bugcrowd :

GET / HTTP/1.1

Host: https-bugcrowd-com.simulator.freebasics.com


Synack :

 GET / HTTP/1.1

Host: https-synack-com.simulator.freebasics.com



And discovered that simulator was striping their x-frame options
so the contents of those pages were getting embedded into iframe .

Here is the VIDEO POC showing different sites getting clickjacked.
https://youtu.be/ptqQxFUZyZU

In the evening i got a message from facebook saying they can't reproduce.
So, i again tested and discovered that this bug exists in FireFox version 44.0.2 in Ubuntu OS.

And also to exploit this bug victim needs to authenticate to website through freebasics simulator which lowers the vulnerability impact.


Though the exploit is hard yet this bug simple bug would have Hacked
any site registered under freebasics.


Now after the bug is fixed , facebook.com is opted out of freebasics program
and they have put behind their simulator service for authentication creating i_org anti-csrf token , and also adjusted the clickjacking protection .

 

 

After the bug fixed is confirmed facebook Rewarded $500 USD 
for my work.



I would like to Thanks Neal Poole of facebook security for assisting the bug
and clarifying my questions on the issue.

Though the bounty seems to be low but iam happy that i saved the community
from getting hacked .

Thanks for Reading
Jai Hind  :)


Contact  info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin :  linkedin.com/in/mohd-haji-490960a0