Skip to content

XSS in the iOS Facebook App

A few months ago, I found an XSS on the iOS mobile Facebook app, and contacted facebook about the flaw via their white hat page, unfortunately for me, I wasn’t eligible for anything because the flaw had already been reported (guys, even t-shirt would have been fun). Since the iOS mobile app had to be updated, I decided to wait before writing a blog post about it, but a few days ago, there it was, a new, fresh, and faster mobile app ! So here is my blog post !

How to Become a White Hat on Facebook :

Test accounts are available and can be created on the fly via the white hat page. Only those accounts should be used to test vulnerabilities on Facebook.

How to Report a Vulnerability on Facebook :

There is a dedicated page for that too. Try to include as many detail as possible on the discovered flaw, and stay clear in the explanations. ! (even if sometimes it’s difficult). If the problem as never been discovered before you might be eligible for a bounty.

To qualify for a bounty, you must:
  • Adhere to our Responsible Disclosure Policy:

    … give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research …
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within Facebook’s infrastructure, such as:

    • Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery (CSRF/XSRF)
    • Broken Authentication (including Facebook OAuth bugs)
    • Circumvention of our Platform/Privacy permission models
    • Remote Code Execution
    • Privilege Escalation
    • Provisioning Errors
  • Please use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners.
  • Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
Our security team will assess each bug to determine if it qualifies.
  • Our minimum reward is $500 USD
  • We will increase the reward for severe or creative bugs
  • Only 1 bounty per security bug will be awarded
The following bugs aren’t eligible for a bounty (and we don’t recommend testing for these):
  • Security bugs in third-party applications (e.g.,[app_name])
  • Security bugs in third-party websites that integrate with Facebook
  • Denial of Service Vulnerabilities
  • Spam or Social Engineering techniques

So, now, let’s have a look at the XSS discovered.

An Old XSS, Step by Step :

  • You had to create a “note” via a computer

  • Once that part was done you could connect via the Facebook app on your iPhone and select that note
  • You had to click on the edit button and simply re-write your Javascript code.
  • Once Saved you could see your XSS in action


And that was it.



Post a Comment

Your email is never published nor shared. Required fields are marked *