Published On: 26 Feb 2020
How I found XSS in Facebook, Twitter and google training academy
XSS
Facebook | Web
---
MEDIUM VALIDIn 23-Dec-2019, I got an email from Facebook workplace about "Introducing the New Workplace Academy!", and they mentioned this domain "https://training.wplearn.com ", while testing this domain I noticed it is using a third party service called "Intellum", I tested the login functionality of the site and I found a reflected XSS in it, also I used google dork to find other companies who use the same service like Twitter and google, I found out that Facebook blueprint use the same service too.
Description
while Logging to Facebook blueprint and intercepting the request I saw below endpoint: GET/login.php?skip_api_login=1&api_key=xxx&...etc&cancel_url=https://www.facebookblueprint.com/authentication/fb_callback?error=access_denied&error_code=200&error_description=Permissionserror&error_reason=user_denied&state=xxxx#_=_&display=page&locale=en_US&pl_dbl=0 I noticed that they don't "Sanitize" the value of "error_description=" parameter and therefore I was able to inject JS payload and trigger XSS.
Impact
This could have let the attacker steal user cookies and obtain the access_token used to authenticate with training websites using Intellum.
Reproduction Steps
Step
1
My Notes
1- When it comes to "error_description=" parameters, always check for XSS. 2- This bug was a zero day bug in the intellum service but unfortunately they didn't respond to my email and didn't get any CVE for it. 3- Twitter Team decided to reward me despite their domain was Ineligible, they rewarded me ( 1120$ ), you can check my report in H1 https://hackerone.com/reports/770349 4- Google said those domains that I found are not belong to them so didn't get any reward from them. 5- Don't forget the power of "Google Dorking" 6- I made a simple google dork to find other companies who use the same service as below: inurl:/student/catalog "Facebook" inurl:/student/catalog "Twitter" inurl:/student/catalog "Google"
Special Thanks
I would like to thanks Twitter Security team for rewarding me with that bounty, thank you guys for your generosity. Also a special thanks to Facebook Security team for rewarding me with that great bounty, thank you guys ;)
Videos