In the name of Allah the beneficent the Merciful.
This is my first blog post on Bug Bounty POC.
It was a thursday morning as usual woke up at 5:30 AM.
After Fajr (Prayer) i opened my computer to look for the emails and then
got an email from facebook regarding a website which is submitted to register under free basics.
Free Basics platform - service submission updated
Then i clicked the url which i got in message
https://partners.facebook.com/fbs/onboarding/?submission_id=xxxxxxxxxxxxx
I was curious why facebook rejected my website submission so started pentesting in URL's field.
I clicked on edit the url and changed the url to a random url , but before clicking on Test i captured the simulator request in burpsuite.
I noticed that x-frame options are missing .
So , i quickly entered facebook.com in the url field and then captured the GET request.
GET / HTTP/1.1
Host: https-m-facebook-com.simulator.freebasics.com
After submitting the GET request i was shocked to see that freebasics simulator looks to be striping the x-frame header of facebook.com.
Then i created clickjacking test page and luckily facebook.com site was embeded into the frame .
As soon as i found this i quickly reported to facebook Security facebook.com/whitehat .
Here is the video POC link
Video POC
Video POC
https://www.youtube.com/watch?v=Q7BlHACEA64
After sometime i tried different websites like
Yahoo :
GET / HTTP/1.1
Host: https-yahoo-com.simulator.freebasics.com
Twitter :
GET / HTTP/1.1
Host: https-twitter-com.simulator.freebasics.com
Github :
GET / HTTP/1.1
Host: https-github-com.simulator.freebasics.com
Parse :
GET / HTTP/1.1
Host: https-parse-com.simulator.freebasics.com
Moves-app :
GET / HTTP/1.1
Host: https-accounts-moves--app-com.simulator.freebasics.com
Paypal :
GET / HTTP/1.1
Host: https-paypal-com.simulator.freebasics.com
Bugcrowd :
GET / HTTP/1.1
Host: https-bugcrowd-com.simulator.freebasics.com
Synack :
GET / HTTP/1.1
Host: https-synack-com.simulator.freebasics.com
And discovered that simulator was striping their x-frame options
so the contents of those pages were getting embedded into iframe .
Here is the VIDEO POC showing different sites getting clickjacked.
https://youtu.be/ptqQxFUZyZU
In the evening i got a message from facebook saying they can't reproduce.
So, i again tested and discovered that this bug exists in FireFox version 44.0.2 in Ubuntu OS.
And also to exploit this bug victim needs to authenticate to website through freebasics simulator which lowers the vulnerability impact.
Though the exploit is hard yet this bug simple bug would have Hacked
any site registered under freebasics.
Now after the bug is fixed , facebook.com is opted out of freebasics program
and they have put behind their simulator service for authentication creating i_org anti-csrf token , and also adjusted the clickjacking protection .
After the bug fixed is confirmed facebook Rewarded $500 USD
for my work.
I would like to Thanks Neal Poole of facebook security for assisting the bug
and clarifying my questions on the issue.
Though the bounty seems to be low but iam happy that i saved the community
from getting hacked .
Thanks for Reading
Jai Hind :)
Contact info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin : linkedin.com/in/mohd-haji-490960a0