XSS in Facebook CDN through AR Studio Effects

I was browsing Facebook newsroom when I saw that they put out a new addition, AR Studio Effects (https://www.facebook.com/fbcameraeffects
/home/
). This let developers upload augmented reality camera effects to facebook. The vulnerable endpoint lied within uploading a screen cast effect. The endpoint didn’t check the contents or the file extension allowing a attacking user to change the extension to .html with malicious javascript and it would execute within facebooks CDN.

Proof of Concept

1) Navigate to https://www.facebook.com/fbcameraeffects/home/

2) Click on Upload AR Studio Effect

3) Scroll to the bottom until you find the section for uploading a “Screencast”

4) Proceed to upload a valid mp4 file

5) Turn on an html interceptor like burp suite and capture the upload request made to /fbcameraeffects/ar_effect/screencast_upload/

6) Change the filename extension from .mp4 to .html

7) Change the file contents to malicious code

Video

Timeline

Submitted- December 14th, 2017

Triaged- December 14th, 2017 [First time I’ve ever got traiged within the same day :)]

Team Asks for Verification on fix- December 19th, 2017

Bypass to Fix- December 19th, 2017 (The initial fix only verified whether the contents of the file upload contained a video or not and did not check the extension, allowing a user to append javascript to the end of the video contents and change the filename extension to .html for the same results)

Bounty Awarded($1500)- December 20th, 2017 (They awarded the bounty before the fix as they wanted me to be payed before the christmas holiday which was very nice of them)

Full Fix- January 9th, 2018