How I hacked Facebook and received a $3,500 USD Bug Bounty – 10 minute mail

Find out how our Security Researcher Frans Rosén hacked Facebook and found a stored XSS for which he received a bug bounty reward. 

I recently found a Stored XSS on Facebook, which resulted in a Bug Bounty Reward. If you want to know how an XSS could be exploited, you can read my colleague Mathias’ blog post about it. Anyway, here’s how it went down.

I was actually working on finding flaws on Dropbox to begin with. I noticed that when using their web interface there were some restrictions on what filenames that were allowed. If you tried to rename a file to for example:

'">.txt

it was not possible. You got this error:

Error message

But, if you instead, connected a local directory, created a file there and synced it, you got it inside Dropbox without any problems. Using this method I was able to find two issues with their notification messages showing unescaped filenames. I reported these issues to Dropbox, they patched it really fast and I was placed on their Special Thanks page for the responsible disclosure.

It didn’t end here. As I was testing out this stuff on Dropbox, I also tried to figure out how this issue could be connected with other services. I noticed their Facebook-connection and got curious on how it worked. It turned out that they had a pretty nice function going on there:

“Dropbox has teamed up with Facebook so that you can do cool things like add files from Dropbox to your Facebook groups or send shared folder invitations to your Facebook friends.”

Nice! I created a group, and found the connection using the “Add File” icon on the Group wall:

FB Add File

I selected the file that I synced to Dropbox, it was called: '">.txt and shared it. Nothing awesome happened except the file being shared.

But then, I clicked the Share-link on the entry.
Shared link stored XSS

BAM! The title of the entry was not escaped correctly and I was able to get the Stored XSS triggered. By using the files in my Dropbox I could inject script code that was executed on Facebook.com.

I reported this to Facebook directly using their Whitehat Vulnerability Reporting system, told them it was an urgent issue and how I managed to get it executed. The issue was at that time only affecting the Share-popup inside the Group page and could only be triggered by user interaction, serious or not, it was clearly not affecting all users on Facebook.

At the same time I started looking on the URL of this Share-popup:
https://www.facebook.com/ajax/sharer/?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first
This URL did not work if you tried it stand-alone. That was good, the XSS issue looked like it could only be triggered by user interaction. But then I started googling and found that you were able to create a Share-URL by using this format: https://www.facebook.com/sharer/sharer.php?

So I changed my URL to that format:
https://www.facebook.com/sharer/sharer.php?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first

BAM again! If you were logged in into Facebook, the code was executed as soon as you visited the link. Bad. Really bad. I emailed Facebook again, explaining that you could actually trigger the XSS by only visiting a link.

I was also trying out if I could get other services to behave in the same way. Dropbox and Facebook had this special connection, so I was curious if this issue was isolated or if I could reproduce it by using another service.

Went to Pinterest. Created a Pin named:

'">

and shared it on Facebook using my test account. I pressed the Share button on it:

Share Button stored XSS

I was amazed – it had the same issue.

Facebook replied to me, asking me how I was able to place the files on Dropbox with that filename. I explained how this was done and also told them that the service that you shared from didn’t matter, it was a general issue with the escaping that created a vulnerable vector on the Share-page.

They responded and said that it was indeed the same issue and they should look into it ASAP.

In the meantime, I tried the link on different devices. My iPhone could not get the XSS executed. As soon as I visited the page, I was redirected to https://m.facebook.com and that page did not have the same issue. But I also realized that you could force Facebook to skip the redirect by using a parameter called m2w, so if I appended that to the URL:
https://www.facebook.com/sharer/sharer.php?s=44&appid=210019893730&p%5B0%5D=entry_id&p%5B1%5D=user_that_shared_it_first&m2w
I was able to trigger the URL on both mobile devices and on desktop. Another email to Facebook.

One day after that I noticed that the POC-link did not work anymore, it was finally patched. I told them I could not reproduce it anymore and it looked like it was fixed.

One day later I got this email:
Facebook Frans Rosen

Nice one!

Date range:

  • Initial report and the POC-link executing the XSS just by visiting: Dec 22
  • Explained the Dropbox-syncing and extended the scope regarding services and devices: Dec 27
  • Vulnerability fixed: Dec 28
  • Received message about the Bug Bounty: Dec 29

Frans Rosén, Security Advisor

 


Disposable mail is a fully automated web security scanner created by some of the world’s best ethical hackers. Give our free trial a whirl and check your website for vulnerabilities like Cross-site scripting »


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail Responsible Disclosure Program | Disposable mail Blog – 10 minute mail

As of today, researchers can report security issues in Disposable mail services to earn a spot on our Hall of Fame as well as some cool prizes. The Disposable mail team has participated in most Responsible Disclosure programs out there and we felt the time is here to have one of our own.

But our service is made for finding web vulnerabilities, how come we need a Disclosure program? Well. Even though our services are based around finding security bugs in web applications, we are not as naive as to think that our own applications are 100% flawless. We take security issues seriously and will respond swiftly to fix verifiable security issues. If you are the first to report a verifiable security issue, we’ll thank you with some cool stuff and a place at our hall of fame page.

How does the reporting process work?

It’s a 5 step process:

  • A researcher sends a mail using the correct template to [email protected]
  • The researcher will get an automatic response confirming that we have acquired the issue
  • A support case is automatically created
  • The person assigned to the support case responds to the researcher, verifying the issue
  • The issue is patched and the researcher is showered in eternal

What bugs are eligible?

Any typical web security bugs such as:

  • Cross-site Scripting
  • Open redirect
  • Cross-site request forgery
  • File inclusion
  • Authentication bypass
  • Server-side code execution

What bugs are NOT eligible?

Any typical low impact/too high complexity such as:

  • Missing Cookie flags on non-session cookies or 3rd party cookies
  • Logout CSRF
  • Social engineering
  • Denial of service
  • SSL BEAST/CRIME/etc

So what are you waiting for?

Sign up for Disposable mail here.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail’s Frans Rosén #2 on HackRead’s 10 Famous Bug Bounty Hunters of All Time – 10 minute mail

Disposable mail’s knowledge advisor Frans Rosén has worked with security research for many years, and is a top ranked participant of bug bounty programs, receiving the highest bounty payout ever on HackerOne.

Frans is also a frequent blogger at Disposable mail Labs, where writes about his security research. He talks at security events, raising awareness about information security and sharing his experience as a white hat.

Last week, we were happy to see that HackRead featured Frans on their list of 10 Famous Bug Bounty Hunters of All Time along with security researchers like Roy Castillo, Emily Stark and Shubham Shah.CaptureFrans

See the full list of Hackread’s 10 famous bounty hunters here. 

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Inside the head of a white hat hacker – 10 minute mail

Yesterday, Disposable mail’s Knowledge Advisor Frans Rosén gave an inspiring talk about white hat hacking and web security at Computer Sweden’s event Säkerhetsdagen 2016 in Stockholm. His four recommendations to the audience were

1)Set up a security contact for your company as soon as possible

2) Establish a Responsible Disclosure Policy

3) Work with bug bounties, rewards and feedback to the security researchers that report security issues

4) Automation is a must when it comes to security

Watch his presentation here (in Swedish):

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IT Security FAQ 5: What is White Hat vs Black Hat hacking? And what is a bug bounty hunter/program? – 10 minute mail

Comparing White Hat to Black Hat hacking is kind of like comparing the good guys to the bad guys. White Hat hackers look for vulnerabilities and report them, whereas Black Hat hackers have a more mischievous agenda. They are the guys you usually see in the movies hacking a bank and stealing money. White Hat hackers are the people working to make the world a safer place – like your favorite team of hackers at Disposable mail!

Comment from our expert:
“White Hat hackers are security consultants and good hearted people that find vulnerabilities on sites and services and report them to the company to prevent them from being hacked in the future. Many companies offer ”Bug Bounty Programs” where they ask White Hackers to try and hack their sites in order to find loopholes, and in return they get a cash award for it.”

“The bigger the security breach they find, the more money the company is willing to pay. Hackers looking for those kinds of bugs and vulnerabilities on sites to get those kinds of awards are referred to as Bug Bounty Hunters,” explains Johan Edholm at Disposable mail.

Want more IT security information? Don’t miss out on the other parts of our IT Sec FAQ series!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail Crowdsource Monthly Recap | WordPress vulnerabilities galore – 10 minute mail

With over 1200 hits generated by Crowdsource submissions, September was our second best month so far. We have added many new vulnerabilities affecting WordPress, both core and plugins. A few of the plugins were used by a large amount of WordPress installs, as you can read in our article where we list all our newly added vulnerabilities. Many of these modules were submitted by this month’s hacker Yasin Soliman.

Crowdsource monthly recap - September

Improvements in the platform

New vulnerabilities are far from all that has happened in September. The platform and community have had a few big changes, and many of the improvements were based on the feedback we received from members of the Crowdsource community. We sent a survey to all invited researchers, and we want to thank everyone who took the time to answer it. The results showed us that we are focusing on the right things, and the platform will see a few major changes that our researchers will love. Stay tuned!

The first update we’ve released is that researchers from Crowdsource can now get a “fixed bounty” for their submissions. This means that the researcher will receive a fixed payout besides the regular payout per hit. We hope that this change will encourage researchers to submit modules of high quality that may not generate a lot of hits, but are equally important to us.

Top finding

In September, the top finding was an open redirect affecting the latest version of WordPress.

Hacker of the month

The Disposable mail Crowdsource hacker of the month is Yasin Soliman, a 17-year old UK based security researcher who submitted more than 25 valid modules to Crowdsource in September. We got the opportunity to interview Yasin about his participation in Crowdsource, security role models and his view on other bug bounty programs.

Guest Blog: Don’t Leave your Grid Wide Open

Our guest blogger and Disposable mail Crowdsource hacker Peter Jaric explains how Selenium Grid could be exploited to read files on the server.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Meet the team: Kristian Bremberg – Community-minded ethical hacker who loves to help out – 10 minute mail

“My whole life is circling around IT security,” Kristian Bremberg says, half-jokingly. The Community Manager of Disposable mail’s ethical hacking platform Disposable mail Crowdsource is passionate about defensive security, building communities, and helping people learn.

Meet the team: Kristian Bremberg, Disposable mail Crowdsource

Got his first computer at 16

Hacking hasn’t always been part of Kristian’s life. As a child, he dreamed of becoming a cargo ship captain and crossing the Atlantic ocean. His plans for the future changed when he got his first computer at the age of 16 and an internet connection two years later. The potential of the web instantly sparked Kristian’s interest. “The concept of search engines just amazed me. You can search for anything and find the answer, so in the beginning, I would just try to challenge Google day in and day out,” he explains.

It all started with games

Kristian eventually found his way to the online gaming community and started hacking games. “Funnily enough, it all started with cheating in games,” Kristian laughs. He soon moved on and started learning about security and making the internet more secure. “Maybe it’s my conscience after cheating in games, but I’ve always been on the defensive side of security, aiming to do good,” he adds.

From malware and IT forensics to web hacking

After discovering security, Kristian began to explore different areas in order to learn as much as possible. Over the last couple of years, he has worked with Tor, malware detection and IT forensics. Forensics fascinated him so much that he wrote a book on the topic for his friends: “It’s not published and it wasn’t serious or well-formatted, I did it for fun. I was really into IT forensics, it was the only thing I could think about!” However, his interest in security did not stop there and Kristian eventually found his way to web hacking and bug bounties.

The community spirit

Being part of a community and helping others learn has always been crucial in Kristian’s security journey: “I’ve done a lot of community stuff, hosting CTFs and writing guides, for example. I love being part of a community and helping people.” His active presence in the web security community was what brought him to Disposable mail as he met two of the company’s founders at Sec-T, a Swedish security conference.

Kristian liked Disposable mail’s vision of a safer internet and started out by writing guest blogs on a range of topics such as HPKP and Tor. Considering his knack for helping others learn, it is no surprise that his articles aim to show readers how to configure security features! “I try to focus on things that help people. I’m not a big fan of just finding vulnerabilities, I’m a fan of finding solutions,“ Kristian explains.

Building Disposable mail Crowdsource

Since joining Disposable mail in 2016, Kristian has been working as Community Manager at Crowdsource, Disposable mail’s crowdsourced security platform. He was part of the Crowdsource initiative from the very beginning and was there to welcome the first members to the community. “People are so curious about Crowdsource and love the innovative idea,” Kristian says. Crowdsource allows ethical hackers to submit their findings that are then built into the Disposable mail scanner. The community now has over 100 members and has become an important source of Disposable mail security tests.

A new kind of bug bounty workflow

Kristian explains that Crowdsource complements researchers’ participation in traditional bug bounty programs. Researchers can report findings on platforms like HackerOne or Bugcrowd and then submit the same vulnerability to Crowdsource, where their submission can help secure thousands of websites.

“As soon as a researcher finds something that affects an entire platform, framework, or technology, they can come to us. It fits perfectly into their workflow, challenges them, and gives their research a broader scope,” Kristian says and explains that hackers have different approaches to Crowdsource. “Some like to submit low severity vulnerabilities that generate a lot of hits, while others prefer to submit critical findings. 1000 hits at $1 per hit or 10 hits at $100 per hit will get you a $1000 payout either way, so it’s a matter of looking for what  you find most interesting.”

The freedom of working remotely

Kristian lives in Skåne in the south of Sweden and works remotely, visiting Disposable mail HQ in Stockholm for team events and meetings. He says the freedom of working remotely suits him, although it can be challenging to get used to it: “I like remote work because Disposable mail is really about knowledge sharing and doing things together. I love working with my colleagues and across different teams!”

Kristian’s daily tasks involve much more than just community management: “I develop modules, that is, the submissions that Crowdsource members send in. I also do research, testing vulnerabilities to figure out how to implement them and improve existing modules.” Alongside his work with the backend team that develops the core service, he often joins sales and marketing meetings to share Crowdsource news and learn about customers’ feedback and requests.

The growing Crowdsource community

Kristian’s plans for Crowdsource are ambitious, but his passion for the community leaves no doubt that Crowdsource will continue to grow. One of his key goals is to encourage developers without extensive hacking experience to join the platform. “Developers have great insights into how their technologies and frameworks work,” Kristian explains, adding that submitting a finding to Crowdsource does not require a background in security research.

His advice to aspiring Crowdsource members is simple: “Focus on what you think websites are vulnerable to. Today, many vulnerabilities are specific to websites rather than technologies, but what we’re looking for are findings with a wide scope.”

Q&A with Kristian

iPhone or Android? iPhone! I used to hate iPhone and only used Android, I rooted them and I was such an Android geek. Now I’ve grown up and I just use my phone, I don’t play with it anymore.

Mac or PC? I have both, and a Linux! I use Windows, I use MacOS, I use Linux! On a daily basis, I actually use them all.

#1 security advice? That’s a really hard question! Many people won’t agree with me, but I actually love CSP. If you get it to work, you can protect against CSRF, XSS, HTML injection and stealing CSRF tokens. There’s so much you can do with modern web browser security features. Some people prefer to focus on protecting the website, but I think that protecting the client is really important!

Favourite security issue? I would say server-side request forgery, I think that vulnerability is so interesting. When you first find it, it’s kind of serious already, but if you try to get internal data, you can pivot and get it to an RCE and you can even try an SQL injection and so on. I like that because I like vulnerabilities where you can pivot.

Favourite security resources? The netsec subreddit is the best source for IT security news in general. I also like public HackerOne reports, they’re fun to read and you always learn a lot by reading them. The WordPress vulnerability database is interesting too. Other than that, Twitter is absolutely great and it’s the best way to get news quickly!

Think Disposable mail Crowdsource sounds interesting? Read Kristian’s article on how to become a Crowdsource hacker, then head over to the official Crowdsource website to join the community. 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

3 ways white-hat hackers can help you protect your website – 10 minute mail

White-hat hackers are experts at discovering vulnerabilities and they want to help you improve your security. You may never be able to hire them for a full-time position, but they can play a key role in protecting your web application. Here are three ways to leverage their knowledge and keep your website safe.

 1. Responsible disclosure

Most companies first approach the security community by implementing a responsible disclosure policy. Responsible disclosure allows security researchers to look for vulnerabilities and report them to the vendor without running the risk of legal action. Having a responsible disclosure in place signals that an organisation is open to vulnerability reports from white-hat hackers.

Responsible disclosure infographic

Responsible disclosure (Click to enlarge)

Tech giants in Silicon Valley were the first to implement responsible disclosure despite having security teams of their own. This shows that everyone, regardless of organisation size and the level of internal security knowledge, can benefit from asking white-hat hackers for help.

Getting started

Before you go ahead and implement a responsible disclosure policy, make sure you have the resources and a process to follow up on vulnerability reports. Receiving your first report can be stressful, but establishing a routine for evaluating reports and fixing vulnerabilities will help you keep your security work structured. If you’d like to get started with responsible disclosure, can take a look at our Guide to Responsible Disclosure that answers some commonly asked questions.

2. Bug bounty

If responsible disclosure is the first step towards bringing businesses and white-hat hackers closer together, bug bounty is what comes next. Bug bounties are essentially responsible disclosure programs that reward white-hat hackers for reporting vulnerabilities. The rewards can be anything from t-shirts and stickers to payouts adding up to thousands of dollars.

Bug bounty

Bug bounty (Click to enlarge)

Bug bounties often receive considerable attention in the media, especially when large monetary rewards are involved. You may have heard of companies like Google paying out immense sums to white hats who reported critical vulnerabilities to them. Back in 2014, our security researchers discovered a vulnerability that gave them read access to Google’s production servers, which resulted in a $10,000 bug bounty. However, this is by no means the biggest bug bounty payout of all times!

Getting started

The majority of companies do not run bug bounty programs on their own, but partner with a dedicated platform like HackerOne or BugCrowd. Using a platform makes it easier for the organisation to structure their bug bounty program and get access to white-hat hackers who can help them find vulnerabilities.

3. Automated bug bounty – Disposable mail Crowdsource

With responsible disclosure and bug bounty programs, companies can only remediate one vulnerability at a time. Turning to the security community is a step in the right direction, but what if white-hat knowledge could scale? This is a question we are aiming to answer with our crowdsourced security platform Disposable mail Crowdsource.

Disposable mail Crowdsource is an invite-only ethical hacking platform that combines bug bounties with automation. Skilled white-hat hackers discover vulnerabilities in widely used technologies and  submit their findings to Crowdsource. All submissions are reviewed by Disposable mail’s security team and those that are accepted are built into the Disposable mail scanner. This way, every submission is turned into a security test that runs on our customers’ websites.

Disposable mail Crowdsource

Disposable mail Crowdsource (Click to enlarge)

Instead of only securing a single web application, one vulnerability report can secure thousands! Everytime the security test identifies a vulnerability, the white-hat hacker that submitted the finding gets a payout.

White-hat hackers who submit their findings to Disposable mail Crowdsource can also participate in traditional bug bounty programs as we don’t require exclusivity. As long as the discovered vulnerability can be automated, we’re interested in it!

Getting started

If you use Disposable mail to monitor your security, you are already benefiting from what Crowdsource has to offer. Every time you scan your web application with Disposable mail, your scan includes crowdsourced security tests. All findings that were discovered using a module from Crowdsource are tagged with the “Crowdsource” tag.

If you are not using Disposable mail yet, you can give it a try by signing up for our free trial that gives you access to all Disposable mail security tests, including those sourced from Crowdsource.

All findings sourced from Disposable mail Crowdsource are tagged with the “Crowdsource tag”

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.