Case Study I - Browser Anomaly with Facebook Apps -1500$

I was studying the behavior of sandboxed iframes and browser permissions like media, geolocation, payment, VR, etc. I came across an interesting chromium article - https://dev.chromium.org/Home/chromium-security/deprecating-permissions-in-cross-origin-iframes that explains much about security controls for embedding third-party untrusted contents into your HTML pages.

Facebook Apps Bug

Facebook Apps (https://apps.facebook.com) allowed you to host your own application (i.e; HTML, JS). They use iframe as protection for the same. (Iframe with sandbox blocks executing the javascript with parent frame reference). Facebook Apps and Games load your code inside an iframe on apps.facebook.com. Let's say app owner has added Facebook Web Games platform with web URL - https://ATTACKER-GAME-URL-EMBED.com/ in-app configuration.

Code of https://ATTACKER-GAME-URL-EMBED.com/ <html> <head> </head> <body> <script> const div = document.createElement('div'); const video = document.createElement('video'); video.style.display = 'block'; document.body.appendChild(div); div.appendChild(video); navigator.mediaDevices.getUserMedia({ video: true }).then(function (stream) { video.srcObject = stream; video.play(); }) .catch(function (error) { }); </script> </body> </html> When a user visits the apps.facebook.com/ATTACKER_APP In the case of Firefox, In order to use a camera, microphone, etc. A Browser will prompt a permission dialog with origin https://ATTACKER-GAME-URL-EMBED.com/, where the user can grant permission. It is the Ideal behavior and secure. In the case of Chrome, In order to use camera, microphone, etc browse will prompt a permission dialog with origin https://APPS.FACEBOOK.COM/, where the user can grant permission. If a user has even given permission to any app on chrome to access camera, microphone then any other malicious app can capture users camera, microphone inputs. Example : The victim has done a video chat with his friend on the below URL. They obviously have granted permission to apps.facebook.com to user camera and microphone. https://apps.facebook.com/videocall/incall/peer_id=100000863782064&call_id=671383720&is_caller=1 Now every app in the Facebook app-store can access the victim's camera, microphone, geography, etc without any explicit permission.

Facebook Reply and Reward.

#facebook #application-security #pentesting #easysiem #sttor #bugbounty #vapt