Early 2015, when I was looking for a BB I learned that Oculus is under scope of Facebook BB
So, when a product is in scope, a BB hunter should look for all sub and main domains. In that time the domain of Oculus was “https://developer.oculusvr.com/”
But, there was a link in the menu “https://answers.oculus.com/” that I clicked. After some browsing, I found that you can upload images in the comments, and there where I wanted to dig.
How does it work?
If you upload an image in the comments, the first filter will check if the uploaded file is an image and by checking the name if it end with an image extension.
the request include image=true .
I uploaded a file “xxml.jpg” , by using a burp to intercept the request and change the content type to (text/xml), and forward the request.
Then I uploaded xml. I tried .php ,and .html, but they were uploaded, so, it indicated a 500 server error. I wanted to do a harmful attack, therefore; I used a “ SWF ”, SWF can be used for SOP bypass , XSS , Open redirect , and leak CSRF token because it was stored in cookies. There a very useful tool by @evilcos called
xss.swf you can find it here .
Now let’s do it again with
Same thing intercept –> change content type to
application/x-shockwave-flash –> forward Here is a video of how I did it:
Everything is good now let’s report it to Facebook.
After a while, Facebook closed my account, and they replied:
Hi Abdullah, Thank you for your report. This subdomain is actually not part of the Facebook bug bounty program and is hosted by AnswerHub. If you believe you have discovered a security vulnerability in that site, please consider responsibly disclosing it directly to them.
Mark Security Facebook
It was a disappointing reply because I thought that every domain *.oculus.com were in scope.
I logged in using (api.oculus.com) and there was a hope to steal access token.After some research, I found that I can steal the token using the uploaded swf file, redirect, and steal it (lost data while formatting).
So the finial URL PoC :
Because the improper validation of
api.oculus.com I was able to change its value, and it can be used for open redirect using
redirect_uri too, and this will affect
api.oculus.com, which is in the scope.
I reported again :
Hi , Mark I know that it is hosted on answerhub and I will report them but if you see that answers.oculus.com can be used to steal access tokens >from api.oculus.comand the will affect (api.oculus.com) which is in the scope it can be used to redirect as well
Logged out and open this URL you will get the the page of login and when user log in he will redirect to swf file that steal access token >and that will affect OAuth of Oculus.
Open redirect for example
That should be bug in the system of oculus .
I got the following reply:
Thanks again for writing in. The improper validation of redirect_uri on api.oculus.com was already known to us due to a previous report. There’s a fix currently being tested.
As Mark mentioned, since answers.oculus.com is hosted by a third-party called AnswerHub, the issue of a stored XSS on AnswerHub is >unfortunately out-of-scope. I’d encourage you to reach out to them directly and let them know about the issue.
Aaron Security Facebook
Because it’s a third-party, there are other companies that use it too. I made a Google dork to search for it, and I got some good results like eBay, IBM, and more!
I did the same process for each site, here are the results:
That were the time to report it to AnswerHub, so I contacted “Matthew Schmidt”, the CTO of Dzone which is the builder of AnswerHub, that is a paid service. They didn’t give any bounty, they told me they will send a package of Dzone things, but I didn’t get a thing, I don’t know if it’s my bad post-office, or they didn’t even send it. Weeks after, they published a release note without my name, So I contacted them again and they wrote it, but got my last name wrong! Here’s a link: http://answerhub.com/releases/changelogs/answerhub-1.6.3-release-change-log/
I told Facebook for all of this and Neal Poole replied me:
Glad to hear it!
Neal Security Facebook
That is all of it, thank you for reading it all, you can contact me on my Twitter @Abdulahhusam