Monday, June 9, 2014

My Story with Onavo ( a Facebook's Acquisition )

I usually don't write write-ups on XSS vulnerabilities, but I have made an exception on this one.

When I was checking Facebook WhiteHat Page, I realized that they added a new target on the scope, which is Onavo.




I downloaded their apps and started to intercept the links that I found.

One of the links raised an eye-brow. I said to myself that this looks vulnerable!

The link looks something like this:
http://cf.onavo.com/iphone/mc/deactivate.html?url=/somethingthatIforget/&seed=1394953248

So it looks like it is vulnerable to Open Redirect.

I executed the link this:
http://cf.onavo.com/iphone/mc/deactivate.html?url=http://bing.com&seed=1394953248
It redirected me http://Bing.com.

Right now I have an Open Redirect vulnerability, but that's not enough for me.

After digging up more on the nature of the page, I realized that it redirects me after about 2 seconds. So it looked something like this:

<meta http-equiv="refresh" content="0; url=http://bing.com/" />

So, I changed it to make a redirection to javascript:alert(document.domain) , which it worked!.

Reflected XSS




Timeline:
Mar 16, 2014 - Reported
Mar 17, 2014 - Email from Saul of Facebook Security acknowledging the issue.
Apr 30, 2014 -  The issue seems fixed to me. I emailed Facebook asking them about the current status
May 1, 2014 -  Email from Saul of Facebook Security saying informing that the issue has been patched
May 1, 2014 - Received a payment email from Facebook

Rewards:

Facebook WhiteHat of 2014



a Cash Reward of $500



Final Thoughts:
*Participating in bug bounties gives you an experience in different locations, and it helps you building new ideas for security-related issues. 
* If you have an open redirector vulnerability, you should test for XSS too.
* Never give up.


Regards,
Mazin Ahmed