While setting up “Custom Feed” for a Workplace Group from
/groups/<id>/integrations, the preview of the feed’s profile picture is not proxied.
The feed verifier takes the user-inputed Feed URL, scraped the feed data from that URL, and directly returned the URL of the “profile picture” from the feed data back to the web client.
data.preview.profile_image_url from this GraphQL Query Document is not proxied at all.
This results in the web browser directly fetching the profile picture from the third-party server, without going through Facebook.
Without Facebook proxying/sanitizing the profile picture, one can exploit this to obtain unawared user’s IP and request header (the same way how email trackers work). Or potentially 0-day external XSS, if any.
In the PoC RSS, points the image url of the feed (XML structure
rss.channel.image.url) to a server that logs server requests.
In this PoC, I setup a dummy RSS feed with an animated GIF file of Nyan Cat as the profile picture.
Both the RSS feed file and the Nyan Cat GIF file are served from a dummy Express (Node) server that logs server request IP and headers.
Go to a Workplace Group’s Integrations tab (
In “Available Integrations” section, click “Custom Feed”
Paste the Feed URL that tracks server requests.
Watch the server log.
2018-06-06: Report Submitted
2018-06-07: Marked as “Informative”, due to:
This appears to be working as intended.