Johns Simon
Dec 22, 2017 · 2 min read

7500$ worth DOM XSS in Facebook Mobile Site

I was recently targeting adobe website for any vulnerabilities.I came to know that they were using (facebook/gmail) login to sign in instantly.when i clicked the ‘signin with facebook’,Facebook app login page was loaded.I just checked the url and saw there was a ‘cancel_url’ parameter,Which holds the url to which it redirects if the user choose to cancel the login process.The page redirects to when ‘not now’ is clicked.I checked the source code of the page and saw that the url to redirect was stored in ‘href’ attribute

<a href=””/>

I was wondering if it was vulnerable to xss.So i checked by inputting javascript pseudo protocol ‘javascript:prompt(1)’ and clicked the ‘not now’,And i was shocked to see prompt 🤤 what could an xss on a login page could do?.🤔

password and username can be stealed if the user choose to exit(clicking not now) rather than logging in 😁.Here is a test to just popup the facebook username entered by user ..when the ‘not now’ is clicked;prompt(test);

Image for post
Image for post
Image for post
Image for post

Facebook responded to the issue quickly and fixed the issue within hours 😊 and as bounty they paid me 7500$

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store