XSS on Facebook-Instagram CDN Server bypassing signature protection

Facebook and Instagram all photos/videos and more content are stored on their CDN Server. Such one of "*.fbcdn.net" and "*.cdninstagram.com" and they served via various sub-domains. Those all of the photos/videos on CDN Server contain a signature in the URL (various parameters "oh" and "oe" etc), which causes an error to be thrown if we modify the file extension. (eg. “.jpg” to “.html”)

The first thing came into my mind that, Why I shouldn’t clear up unnecessary parameters from the URL and make it so clear? Then it will be straightforward: “https://instagram.fpnq2-1.fna.fbcdn.net/12494762_1700832180174667_9131300789175210564_n.jpg”.

The response was: “Access Denied”. After a lot of digging around with that, I was able to bypass the signature protection for any Image or Video. Even those links which are timely expired. That means I’ve access to all of the CDN content data which are expire to the end-user.

Vulnerability Discovery

https://instagram.fpnq2-1.fna.fbcdn.net/v/t51.2885-15/12494762_1700832180174667_9131300789175210564_n.png?_nc_cat=0&oh=cb7024e12c863937b69c3d6c15589697&oe=5B31E89F

to

https://scontent.xx.fbcdn.net/t51.2885-15/12494762_1700832180174667_9131300789175210564_n.html

at this time I’m able to execute JavaScript on CDN server.

Impact

This could have allowed an attacker to run arbitrary JS on Facebook CDN. This wouldn’t have allowed access to the user’s cookies/session due to the sandboxed domain, but could have been used in phishing/as a Linkshim bypass.

Similar Bugs:

• An XSS on Facebook via PNGs & Wonky Content Types
• Ability to upload HTML via SRT caption files for Facebook Videos.
• XSS in Facebook CDN through AR Studio Effects.

Timeline

• 8 Mar, 2018 – Initial Report Sent.
• 10 Mar, 2018 – Acknowledgment of Report.
• 23 Mar, 2018 – Issue Fixed.
• 28 Mar, 2018 – Bounty Awarded by Facebook.