I’m a daily user of Facebook Messenger on Mobile and Web, someday i got a banner in my Web version saying that Messenger is available on Desktop too.
I downloaded the App and started to play with it, with first impressions i knew it’s using Electron using asar i decompiled the application and started to look at it, most of user inputs where safe and couldn’t find any XSS
Sending links to someone would open external browser and there wasn’t any way to XSS or opening an HTML file
Playing with functionalities i noticed something, when going to Message Requests then opening Spam/Filtered Messages it would open a new window and needed to re-authenticate by clicking Continue.
In that new window Spam messages or messages that user don’t want to see will be moved to there
Using another account i sent a URL and moved it to Spam section then when i clicked the link it opened a new Electron window not external browser, now we have a controlled window that we can execute any code we want
Going back to the source code and checking options nodeIntegration and contextIsolation was set to false that mean we can’t directly access node JS functions and get full RCE but with contextIsolation set to false there is possibility to override preload.js internal functions and get code execution
I couldn’t find a good method to override so went to look other options, with both our saviors isn’t available i had to find something new and that is <webview> :)
webviewTag was set to true in the application that means we can use <webview> tag not very much different from <iframe> but with some greater functionalities.
webview can load internal files using file:// uri, so <webview src=”file:///etc/passwd”></webview> will display contents of passwd file inside the page
One of the best functions <webview>.executeJavaScript(code) when the webview loads we can execute JS codes and steal the content of the loaded file, example:
While chaining all together we can get File Read and send it to our server, steps to reproduce:
- Attacker sends a malicious link to unknown victim
- Victims open Spam section and Clicks the link
- Using <webview> we load an internal file
- With <webview>.executeJavaScript(code) we steal it’s content
This photo demonstrates how it worked
Video POC showing how easy it is:
Reward: 2k$
Thanks, buh bye ~
