Flawminers Blog

How I found RXSS in Facebook, Twitter and Google training academy

Introduction

On December 23, 2019, I received an email from Facebook Workplace introducing the ‘New Workplace Academy,’ which directed me to the domain ‘https://training.wplearn.com.’ While investigating this domain, I discovered it utilized a third-party service called ‘Intellum.’ During my testing, I identified a reflected XSS vulnerability in the login functionality of the site.

Further research led me to use Google dorking to explore other companies employing the same service. Notably, I found that other prominent entities, including Twitter and Google, also utilize the ‘Intellum’ service. Interestingly, I discovered that Facebook Blueprint, a part of the Facebook ecosystem, also relies on this service.

The finding

While logging into Facebook Blueprint and intercepting the request, I observed the following endpoint:

GET/login.php?skip_api_login=1&api_key=xxx&...etc&cancel_url=https://www.facebookblueprint.com/authentication/fb_callback?error=access_denied&error_code=200&error_description=Permissionserror&error_reason=user_denied&state=xxxx#_=_&display=page&locale=en_US&pl_dbl=0

Upon closer examination, I noticed a lack of sanitation for the ‘error_description=’ parameter, allowing me to inject a JavaScript payload and trigger a cross-site scripting (XSS) vulnerability.

Exploiting this flaw could potentially enable an attacker to steal user cookies and obtain the access_token used for authentication on training websites utilizing Intellum.

Reproduction Steps

https://www.facebookblueprint.com/authentication/fb_callback?error=access_denied&error_code=200&error_description={{Inject_your_payload_here}}

https://training.wplearn.com/authentication/fb_callback?error=access_denied&error_code=200&error_description={{Inject_your_payload_here}}

https://www.twitterflightschool.com/authentication/fb_callback?error=access_denied&error_code=200&error_description={{Inject_your_payload_here}}

https://googleretailtraining.exceedlms.com/authentication/fb_callback?error=access_denied&error_code=200&error_description={{Inject_your_payload_here}}

My notes

  1. Always check ‘error_description=’ parameters for potential XSS vulnerabilities.
  2. This bug represented a zero-day exploit in the Intellum service. Regrettably, there was no response to my notification, and no CVE was issued.
  3. Despite Twitter’s domain being ineligible, their team decided to reward me. You can review my report on HackerOne at https://hackerone.com/reports/770349.
  4. Google clarified that the discovered domains did not belong to them, resulting in no reward for my findings.
  5. I used a simple Google dork to identify other companies utilizing the same service:
  • inurl:/student/catalog "Facebook"
  • inurl:/student/catalog "Twitter"
  • inurl:/student/catalog "Google"

TimeLine

  • Initial Report
    • No specified date
  • Meta Bug Bounty | January 8, 2020
    • Report Triaged
  • Meta Bug Bounty | January 13, 2020
    • Report Successfully Fixed
  • Sarmad | January 13, 2020
    • Fix Confirmed
  • Meta Bug Bounty | February 26, 2020
    • Bounty Awarded

POC

Posted

in

, ,

by

Sarmad Hassan

Tags: