Early 2015, when I was looking for a BB I learned that Oculus is under scope of Facebook BB

scope

So, when a product is in scope, a BB hunter should look for all sub and main domains. In that time the domain of Oculus was “https://developer.oculusvr.com/”

But, there was a link in the menu “https://answers.oculus.com/” that I clicked. After some browsing, I found that you can upload images in the comments, and there where I wanted to dig.

How does it work? 

If you upload an image in the comments, the first filter will check if the uploaded file is an image and by checking the name if it end with an image extension.

the request include image=true  .

I uploaded a file “xxml.jpg” , by using a burp to intercept the request and change the content type to (text/xml), and forward the request.

xml

Then I uploaded xml. I tried .php ,and .html, but they were uploaded, so, it indicated a 500 server error. I wanted to do a harmful attack, therefore; I used a “ SWF ”, SWF can be used for SOP bypass , XSS , Open redirect , and leak CSRF token because it was stored in cookies. There a very useful tool by @evilcos  called xss.swf  you can find it here .  

Now let’s do it again with .swf:

Same thing  intercept  –> change content type to application/x-shockwave-flash –> forward Here is a video of how I did it:




I uploaded an evil swf file.

swf

Everything is good now let’s report it to Facebook.

After a while, Facebook closed my account, and they replied:

Hi Abdullah, Thank you for your report. This subdomain is actually not part of the Facebook bug bounty program and is hosted by AnswerHub. If you believe you have discovered a security vulnerability in that site, please consider responsibly disclosing it directly to them.

Thanks,

Mark Security Facebook

It was a disappointing reply because I thought that every domain *.oculus.com were in scope.
I logged in using (api.oculus.com) and there was a hope to steal access token.After some research, I found that I can steal the token using the uploaded swf file, redirect, and steal it (lost data while formatting).

So the finial URL PoC :

https://api.oculus.com/v1/oauth2/authorize?client_id=answerHub&response_type=token%20id_token&nonce=-blahblah&state=&redirect_uri=https://answers.oculus.com/storage/attachments/131-xss.jpg&country=US&locale=en_US

Because the improper validation of redirect_uri on api.oculus.com I was able to change its value, and it can be used for open redirect using redirect_uri too, and this will affect api.oculus.com, which is in the scope.

I reported again :

Hi , Mark I know that it is hosted on answerhub and I will report them but if you see that answers.oculus.com can be used to steal access tokens >from api.oculus.comand the will affect (api.oculus.com) which is in the scope it can be used to redirect as well

Logged out and open this URL you will get the the page of login and when user log in he will redirect to swf file that steal access token >and that will affect OAuth of Oculus.
URL://URL
Open redirect for example
URL://URL
That should be bug in the system of oculus .

Thanks .

I got the following reply:

Hi Abdullah,
Thanks again for writing in. The improper validation of redirect_uri on api.oculus.com was already known to us due to a previous report. There’s a fix currently being tested.
As Mark mentioned, since answers.oculus.com is hosted by a third-party called AnswerHub, the issue of a stored XSS on AnswerHub is >unfortunately out-of-scope. I’d encourage you to reach out to them directly and let them know about the issue.
Thanks,
Aaron Security Facebook

Because it’s a third-party, there are other companies that use it too. I made a Google dork to search for it, and I got some good results like eBay, IBM, and more! 

I did the same process for each site, here are the results:

I did the same thing and here is it :


xss

xss



That were the time to report it to AnswerHub, so I contacted “Matthew Schmidt”, the CTO of Dzone which is the builder of AnswerHub, that is a paid service. They didn’t give any bounty, they told me they will send a package of Dzone things, but I didn’t get a thing, I don’t know if it’s my bad post-office, or they didn’t even send it. Weeks after, they published a release note without my name, So I contacted them again and they wrote it, but got my last name wrong! Here’s a link: http://answerhub.com/releases/changelogs/answerhub-1.6.3-release-change-log/

I told Facebook for all of this and Neal Poole replied me: 

Hi Abdullah,
Glad to hear it!
Thanks,
Neal Security Facebook

That is all of it, thank you for reading it all, you can contact me on my Twitter @Abdulahhusam

Take care.