Monday, June 9, 2014

My Story with Onavo ( a Facebook's Acquisition )

I usually don't write write-ups on XSS vulnerabilities, but I have made an exception on this one.

When I was checking Facebook WhiteHat Page, I realized that they added a new target on the scope, which is Onavo.




I downloaded their apps and started to intercept the links that I found.

One of the links raised an eye-brow. I said to myself that this looks vulnerable!

The link looks something like this:
http://cf.onavo.com/iphone/mc/deactivate.html?url=/somethingthatIforget/&seed=1394953248

So it looks like it is vulnerable to Open Redirect.

I executed the link this:
http://cf.onavo.com/iphone/mc/deactivate.html?url=http://bing.com&seed=1394953248
It redirected me http://Bing.com.

Right now I have an Open Redirect vulnerability, but that's not enough for me.

After digging up more on the nature of the page, I realized that it redirects me after about 2 seconds. So it looked something like this:

<meta http-equiv="refresh" content="0; url=http://bing.com/" />

So, I changed it to make a redirection to javascript:alert(document.domain) , which it worked!.

Reflected XSS




Timeline:
Mar 16, 2014 - Reported
Mar 17, 2014 - Email from Saul of Facebook Security acknowledging the issue.
Apr 30, 2014 -  The issue seems fixed to me. I emailed Facebook asking them about the current status
May 1, 2014 -  Email from Saul of Facebook Security saying informing that the issue has been patched
May 1, 2014 - Received a payment email from Facebook

Rewards:

Facebook WhiteHat of 2014



a Cash Reward of $500



Final Thoughts:
*Participating in bug bounties gives you an experience in different locations, and it helps you building new ideas for security-related issues. 
* If you have an open redirector vulnerability, you should test for XSS too.
* Never give up.


Regards,
Mazin Ahmed

3 comments:

  1. Nice find.
    I have a question:How did you found and intercept the url from the app? please give a noob friendly answer.

    ReplyDelete
  2. There are many ways to intercept urls from android or iphone apps. In my case, this app has links, when you click on it, you will be transferred to Safari browser. I have took the urls that way.

    Other way is by using Wireshark. Also, SSL Stripping might be useful in some cases.

    ReplyDelete
  3. Very informative post... The way you have explained everything is very impressive.
    event app

    ReplyDelete