@wongmjane
~1 min

De-anonymize User in Facebook Feed Preview

While setting up “Custom Feed” for a Workplace Group from /groups/<id>/integrations, the preview of the feed’s profile picture is not proxied.

The feed verifier takes the user-inputed Feed URL, scraped the feed data from that URL, and directly returned the URL of the “profile picture” from the feed data back to the web client.

The data.preview.profile_image_url from this GraphQL Query Document is not proxied at all.

Impact

This results in the web browser directly fetching the profile picture from the third-party server, without going through Facebook.

Without Facebook proxying/sanitizing the profile picture, one can exploit this to obtain unawared user’s IP and request header (the same way how email trackers work). Or potentially 0-day external XSS, if any.

Proof-of-Concept

In the PoC RSS, points the image url of the feed (XML structure rss.channel.image.url) to a server that logs server requests.

In this PoC, I setup a dummy RSS feed with an animated GIF file of Nyan Cat as the profile picture.

Both the RSS feed file and the Nyan Cat GIF file are served from a dummy Express (Node) server that logs server request IP and headers.

Steps

  1. Go to a Workplace Group’s Integrations tab (https://workplace.facebook.com/groups/<id>/integrations)

  2. In “Available Integrations” section, click “Custom Feed”

  3. Paste the Feed URL that tracks server requests.

  4. Watch the server log.

Timeline

2018-06-06: Report Submitted

2018-06-07: Marked as “Informative”, due to:

This appears to be working as intended.