Taking over Facebook Page Tabs

In this post, I'm describing how I was able to take over 4 tabs on Facebook's own Pages.

1. Facebook India Ambassadors

I was browsing Facebook as usual and not in a mood to test anything. I then visited Facebook India's page to check is there any update from Facebook India and that's when I noticed a page tab Facebook India Ambassadors. I clicked on it to see Facebook India's Brand Ambassadors and the tab showed a heroku error page. I was surprised to see that there.It looked interesting to me so I decided to dig further. I found out that it loads a third party website in an iframe in main section.

The url was http://immense-atoll-4159.herokuapp.com/ and I visited the url directly to verify that the subdomain doesn't exist. Heroku shows a does not exist error page if the subdomain doesn't exist.

So I logged into my Heroku account and created a new project and give immense-atoll-4159 as project id. Then I created a simple NodeJS Script for PoC and deployed it to the Heroku App.

I then visited ambassadors tab in Facebook India's page and checked frame source to confirm my code is loading there.

2. Facebook India Livestream

Livestream is another tab in Facebook India page which frames an account from Livestream.com, owned by Vimeo. The framed url is livestream.com/facebookindia/index.php and I saw a page not found error in the tab.
I visited livestream.com and created an account there with username facebookindia but because of the /index.php, I was unable to show contents there. But if someone visit livestream.com/facebookindia, they will see videos uploaded by me.

3. Facebook Portugal Livestream

Facebook Portugal page had a tab F8 | Live which frames the url livestream.com/f82011/index.php but the username isn't exist in Livestream. I was able to take over that username in Livestream by Vimeo. Because of the index.php in the url, I was unable to serve contents in Facebook Portugal Page.

4. Facebook Brasil Recursos

Facebook Brasil had a tab named Recursos which frames the url https://www.webuzzapps.com/webuzzapp/137331002992480/tab and it shows an error. When I digged it's dns, nothing returned. Then I visited GoDaddy to check whether the domain webuzzapps.com is available for sale or not and I saw that the domain is for sale. It's a premium domain so it's costly but whomever purchases it can serve contents in a tab on Facebook Brasil's Page.

Additional Services

1. Facebook India had a tab Stories which frames the url facebook.involver.com and the subdomain doesn't exist. Involver is a part of Oracle now. Since I'm not familiar with oracle services, I am not sure whether it is possible to take this over or not.
2. Facebook India had a tab State Election Tracker which frames the url d6uon097akywu.cloudfront.net which doesn't exist.
3. Facebook India had a tab #100 Women which frames the url 100womenindia.votenow.tv and the dig result is 

100womenindia.votenow.tv. 59 IN CNAME wildcard.votenow.tv.edgekey.net.
wildcard.votenow.tv.edgekey.net. 21599 IN CNAME e5223.g.akamaiedge.net.
e5223.g.akamaiedge.net. 19 IN A

It points to akamai but didn't claimed there.


Facebook triaged these reports, removed those tabs and closed this as informative, saying there's no potential impact.

I told them open redirect is possible and also the attacker can serve JavaScript in iFrame's context (CSP isn't applicable in JavaScript code within iFrame) and can create fake phishing pages and other forms to convince visitors to enter data.

Facebook responded that "that is an inherent risk of all page tabs: you can redirect people from Facebook to a third-party site."


Popular posts from this blog

How I could've accessed personal details of tens of thousands of people

Send request to Martians. Earthlings are already your friends.