Posted on January 26, 2020

XSS on Facebook-Instagram CDN Server bypassing signature protection


Facebook and Instagram all photos/videos and more content are stored on their CDN Server. Such one of "*.fbcdn.net" and "*.cdninstagram.com" and they served via various sub-domains. Those all of the photos/videos on CDN Server contain a signature in the URL (various parameters "oh" and "oe" etc), which causes an error to be thrown if we modify the file extension. (eg. “.jpg” to “.html”)

The first thing came into my mind that, Why I shouldn’t clear up unnecessary parameters from the URL and make it so clear? Then it will be straightforward: “https://instagram.fpnq2-1.fna.fbcdn.net/12494762_1700832180174667_9131300789175210564_n.jpg”.

The response was: “Access Denied”. After a lot of digging around with that, I was able to bypass the signature protection for any Image or Video. Even those links which are timely expired. That means I’ve access to all of the CDN content data which are expire to the end-user.


Vulnerability Discovery

There is a parameter in first place “/v/” for the reason to verify the appropriate hashes in URL which are to be accessible or not. But removing the “/v/” parameter will still return an error: “Access Denied”. So, I was trying to think of ways to get it on Cross-Domain. Such as,

instagram.fpnq2-1.fna.fbcdn.net. 3599 IN CNAME scontent.xx.fbcdn.net.

There was no reason to verify it on cross-origin that two sub-domain had not any connection between them but the same origin server. I was able to browse any raw Image/Video/Srt file. That means It’s clear out that we can even modify extension to anyone. Such as ".html/.svg" even ".php" too. (the PHP shell obviously won’t execute, but it demonstrates that we can browse though) So, our final URL will be,

https://instagram.fpnq2-1.fna.fbcdn.net/v/t51.2885-15/12494762_1700832180174667_9131300789175210564_n.png?_nc_cat=0&oh=cb7024e12c863937b69c3d6c15589697&oe=5B31E89F

to

https://scontent.xx.fbcdn.net/t51.2885-15/12494762_1700832180174667_9131300789175210564_n.html

at this time I’m able to execute JavaScript on CDN server.

Impact

This could have allowed an attacker to run arbitrary JS on Facebook CDN. This wouldn’t have allowed access to the user’s cookies/session due to the sandboxed domain, but could have been used in phishing/as a Linkshim bypass.

Similar Bugs:

Timeline

  • 8 Mar, 2018 – Initial Report Sent.
  • 10 Mar, 2018 – Acknowledgment of Report.
  • 23 Mar, 2018 – Issue Fixed.
  • 28 Mar, 2018 – Bounty Awarded by Facebook.