Saturday, 30 April 2016

How I could have Hacked/Clickjacked all websites registered under Freebasics including Facebook ,Parse, Yahoo , Twitter, Paypal ,Synack,Bugcrowd,etc


In the name of Allah the beneficent the Merciful.


This is my first blog post on Bug Bounty POC.
It was a thursday morning as usual woke up at 5:30 AM.
After Fajr (Prayer) i opened my computer to  look for the emails and then
got an email from facebook regarding a website which is submitted to register under free basics.

Free Basics platform - service submission updated

Then i clicked the url which i got in message

https://partners.facebook.com/fbs/onboarding/?submission_id=xxxxxxxxxxxxx     

I was curious why facebook rejected my website submission so started pentesting in URL's field.

I clicked on edit the url and changed the url to a random url , but before clicking on Test i captured the simulator request in burpsuite.

I noticed that x-frame options are missing .
So , i quickly entered facebook.com in the url field and then captured  the GET request.

GET / HTTP/1.1
Host: https-m-facebook-com.simulator.freebasics.com

 After submitting the GET request i was shocked to see that freebasics simulator looks to be striping the x-frame header of facebook.com. 
Then i created clickjacking test page and luckily  facebook.com site was embeded into the frame .

As soon as i found this i quickly reported to facebook Security  facebook.com/whitehat .

Here is the  video POC link
Video POC 

https://www.youtube.com/watch?v=Q7BlHACEA64


After sometime i tried different websites  like

Yahoo :

GET / HTTP/1.1

Host: https-yahoo-com.simulator.freebasics.com

 

Twitter :

GET / HTTP/1.1

Host: https-twitter-com.simulator.freebasics.com



Github :

GET / HTTP/1.1

Host: https-github-com.simulator.freebasics.com


Parse :

GET / HTTP/1.1

Host: https-parse-com.simulator.freebasics.com


 Moves-app :

GET / HTTP/1.1

Host: https-accounts-moves--app-com.simulator.freebasics.com

 

 Paypal :

GET / HTTP/1.1

Host: https-paypal-com.simulator.freebasics.com


Bugcrowd :

GET / HTTP/1.1

Host: https-bugcrowd-com.simulator.freebasics.com


Synack :

 GET / HTTP/1.1

Host: https-synack-com.simulator.freebasics.com



And discovered that simulator was striping their x-frame options
so the contents of those pages were getting embedded into iframe .

Here is the VIDEO POC showing different sites getting clickjacked.
https://youtu.be/ptqQxFUZyZU

In the evening i got a message from facebook saying they can't reproduce.
So, i again tested and discovered that this bug exists in FireFox version 44.0.2 in Ubuntu OS.

And also to exploit this bug victim needs to authenticate to website through freebasics simulator which lowers the vulnerability impact.


Though the exploit is hard yet this bug simple bug would have Hacked
any site registered under freebasics.


Now after the bug is fixed , facebook.com is opted out of freebasics program
and they have put behind their simulator service for authentication creating i_org anti-csrf token , and also adjusted the clickjacking protection .

 

 

After the bug fixed is confirmed facebook Rewarded $500 USD 
for my work.



I would like to Thanks Neal Poole of facebook security for assisting the bug
and clarifying my questions on the issue.

Though the bounty seems to be low but iam happy that i saved the community
from getting hacked .

Thanks for Reading
Jai Hind  :)


Contact  info :
facebook : facebook.com/haji.mohd871
twitter : @mohdhaji24
linkedin :  linkedin.com/in/mohd-haji-490960a0

8 comments:

  1. Replies
    1. LEGIT FULLZ & TOOLS STORE

      Hello to All !

      We are offering all types of tools & Fullz on discounted price.
      If you are in search of anything regarding fullz, tools, tutorials, Hack Pack, etc
      Feel Free to contact

      ***CONTACT 24/7***
      **Telegram > @leadsupplier
      **ICQ > 752822040
      **Skype > Peeterhacks
      **Wicker me > peeterhacks

      "SSN LEADS/FULLZ AVAILABLE"
      "TOOLS & TUTORIALS AVAILABLE FOR HACKING, SPAMMING,
      CARDING, CASHOUT, CLONING, SCRIPTING ETC"

      **************************************
      "Fresh Spammed SSN Fullz info included"
      >>SSN FULLZ with complete info
      >>CC With CVV (vbv & non vbv) Fullz USA
      >>FULLZ FOR SBA, PUA & TAX RETURN FILLING
      >>USA I.D Photos Front & Back
      >>High Credit Score fullz (700+ Scores)
      >>DL number, Employee Details, Bank Details Included
      >>Complete Premium Info with Relative Info

      ***************************************
      COMPLETE GUIDE FOR TUTORIALS & TOOLS

      "SPAMMING" "HACKING" "CARDING" "CASH OUT"
      "KALI LINUX" "BLOCKCHAIN BLUE PRINTS" "SCRIPTING"
      "FRAUD BIBLE"

      "TOOLS & TUTORIALS LIST"
      =>Ethical Hacking Ebooks, Tools & Tutorials
      =>Bitcoin Hacking
      =>Kali Linux
      =>Fraud Bible
      =>RAT
      =>Keylogger & Keystroke Logger
      =>WhatsApp Hacking & Hacked Version of WhatsApp
      =>Facebook & Google Hacking
      =>Bitcoin Flasher
      =>SQL Injector
      =>Premium Logs (PayPal/Amazon/Coinbase/Netflix/FedEx/Banks)
      =>Bitcoin Cracker
      =>SMTP Linux Root
      =>Shell Scripting
      =>DUMPS with pins track 1 and 2 with & without pin
      =>SMTP's, Safe Socks, Rdp's brute
      =>PHP mailer
      =>SMS Sender & Email Blaster
      =>Cpanel
      =>Server I.P's & Proxies
      =>Viruses & VPN's
      =>HQ Email Combo (Gmail, Yahoo, Hotmail, MSN, AOL, etc.)

      *Serious buyers will always welcome
      *Price will be reduce in bulk order
      *Discount offers will give to serious buyers
      *Hope we do a great business together

      ===>Contact 24/7<===
      ==>Telegram > @leadsupplier
      ==>ICQ > 752822040
      ==>Skype > Peeterhacks
      ==>Wicker me > peeterhacks

      Delete
  2. TUTORIALS AVAILABLE FOR
    SPAMMING
    CARDING
    CASHOUTS
    MOBILE DEPOSITS

    -->SPAMMING price == 200$
    >What you need to start spam

    -->CARDING price == 300$ (Includes All Carding)

    How to use eBay Carding, Amazon Carding, Adidas Carding, BITCOIN CARDING, WALMART CARDING, WESTERN UNION CARDING
    WORLD REMIT CARDING METHOD

    >APPLE PAY & ANDROID TAP CASH

    >BANK TRANSFER

    -->DUMPS+PINS price == 85$
    (How to use & create dumps with pins track 1 & 2)
    >HOW TO CASHOUT DUMPS+PINS

    >MOBILE DEPOSIT
    >SAFE SOCKS5 (USA)

    -->SMTP Linux Root
    *--price ==150$--*

    Also SELLING

    >SERVER I.P's price == 200$ in bulk
    >USA EMAILS with Passwords price ==150$ in bulk
    >SSN Fullz with Driving license price == 2$ each

    **Contact 24/7**
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete