Introduction
On December 23, 2019, I received an email from Facebook Workplace introducing the ‘New Workplace Academy,’ which directed me to the domain ‘https://training.wplearn.com.’ While investigating this domain, I discovered it utilized a third-party service called ‘Intellum.’ During my testing, I identified a reflected XSS vulnerability in the login functionality of the site.
Further research led me to use Google dorking to explore other companies employing the same service. Notably, I found that other prominent entities, including Twitter and Google, also utilize the ‘Intellum’ service. Interestingly, I discovered that Facebook Blueprint, a part of the Facebook ecosystem, also relies on this service.
The finding
While logging into Facebook Blueprint and intercepting the request, I observed the following endpoint:
GET/login.php?skip_api_login=1&api_key=xxx&...etc&cancel_url=https://www.facebookblueprint.com/authentication/fb_callback?error=access_denied&error_code=200&error_description=Permissionserror&error_reason=user_denied&state=xxxx#_=_&display=page&locale=en_US&pl_dbl=0
Upon closer examination, I noticed a lack of sanitation for the ‘error_description=’ parameter, allowing me to inject a JavaScript payload and trigger a cross-site scripting (XSS) vulnerability.
Exploiting this flaw could potentially enable an attacker to steal user cookies and obtain the access_token used for authentication on training websites utilizing Intellum.
Reproduction Steps
https://www.facebookblueprint.com/authentication/fb_callback?error=access_denied&error_code=200&error_description={{Inject_your_payload_here}}
https://training.wplearn.com/authentication/fb_callback?error=access_denied&error_code=200&error_description={{Inject_your_payload_here}}
https://www.twitterflightschool.com/authentication/fb_callback?error=access_denied&error_code=200&error_description={{Inject_your_payload_here}}
https://googleretailtraining.exceedlms.com/authentication/fb_callback?error=access_denied&error_code=200&error_description={{Inject_your_payload_here}}
My notes
- Always check ‘error_description=’ parameters for potential XSS vulnerabilities.
- This bug represented a zero-day exploit in the Intellum service. Regrettably, there was no response to my notification, and no CVE was issued.
- Despite Twitter’s domain being ineligible, their team decided to reward me. You can review my report on HackerOne at https://hackerone.com/reports/770349.
- Google clarified that the discovered domains did not belong to them, resulting in no reward for my findings.
- I used a simple Google dork to identify other companies utilizing the same service:
inurl:/student/catalog "Facebook"
inurl:/student/catalog "Twitter"
inurl:/student/catalog "Google"
“
TimeLine
- Initial Report
- No specified date
- Meta Bug Bounty | January 8, 2020
- Report Triaged
- Meta Bug Bounty | January 13, 2020
- Report Successfully Fixed
- Sarmad | January 13, 2020
- Fix Confirmed
- Meta Bug Bounty | February 26, 2020
- Bounty Awarded