Tuesday 9 April 2013

A Facebook Third Party XSS Privacy Slip-up

Back in January Facebook introduced a new feature that allowed you to send in questions to their Chief Privacy Officer, Erin Egan.

It turns out the question form contained an XSS vulnerability :)

Erin where you at?

The Facebook page was pretty straight forward, a bit of blurb and a form to submit your questions.

Here's the question form:
I assumed the question would be sent straight to Facebook but I was curious exactly how/where. Looking at the page code I saw something similar to the following:  

The form actually posted to Jotform.me, not Facebook. Looks like it's a third party plugin of some kind?

The Jotform form

To better understand what was going on I headed to Jotform.com and signed up for a free account. I created a form identical to the Facebook form and injected an XSS image payload into every field.

When I viewed my submissions page I got the following:

Looks like we've found a stored XSS vulnerability. Digging into the page code you can see that we didn't even need to break out of an attribute, html tags are just accepted and rendered! Uh oh.

To gain access to Erin's Jotform account all we'd need to do is submit a standard XSS payload through the Facebook form and wait until she views her submissions on the Jotform site. It's almost too easy.

Now the clever ones among you may have noticed the irony of this situation. By gaining access to the Facebook JotForm account we'd be able to see all of the privacy questions people submitted through the Facebook site. Essentially breaching the privacy of people's privacy questions!

Privacy breaches aside, we could also target Erin directly with social engineering, redirect her to our own malicious site with the latest Adobe/Java exploits or a phishing page. XSS is really just the first step, there are many ways we could potentially drop the pwnage.

Speaking of pwnage...

Pwning every JotForm user

Although I didn't test this, it appears that it would be trivial to exploit almost every JotForm user by simply submitting malicious post requests across multiple account IDs. Post requests are non-authenticated and sent to a predictable URL:

e.g. http://submit.jotform.me/submit/30563167563456

With a little python/perl/ruby we could easily create a script to iterate through those ID numbers.

Or to speed this up we could distribute the attack by creating a worm that used some javascript to force users into re-posting to many different IDs thus spreading the payload. Gradually we'd compromise every single JotForm user. Nice.

Preventing stored XSS

Addressing XSS is usually straight forward. Some basic filtering/encoding of quotes and brackets normally does the job. However because Jotform actually used the tags from user submissions they had decided to implement a blacklist approach to filter malicious content. While this provided some protection it was trivial to evade.

As we saw earlier they missed the image event handler. They also missed the embed tag that I mentioned in my last post:

I've only covered the obvious examples, no doubt there are many more XSS vectors lurking on JotForm :)


Lesson number one, never trust third parties. If they get hacked, you get hacked.

Lesson number two, don't allow the inclusion of user defined HTML, it's just asking for trouble.

Both Facebook and Jotform were notified of these issues and they have now been fixed. Thanks to both companies for the quick responses!

Pwndizzle out