Namaste! Good Morning,
A Computer Science Student of Comsats Institute of information technology Islamabad (Pakistan) named Haider
Mehmood took part in Facebooks Bug Bounty Program and has been rewarded $500 for finding and reporting a HTML Injection Vulnerability.
The details of the bug are as follows :
Vulnerability title: HTML Injection
Vendor homepage: http://m.facebook.com
Tested on: Windows 7 64 bit Firefox browser (but should have worked on other OS and browsers (not sure about IE))
Vulnerability Submitted on: 12/1/2013
Vulnerability Status: FIXED / PATCHED
Vulnerable Parameter: https://m.facebook.com/survey.php?incorrect_brand¶ms=
Facebook makes survey to evaluate the mobile user experience as they surf facebook mobile site. Here is the survey https://m.facebook.com/survey.php . When entering the mobile phone brands it provides a list of brands in case you typed an incorrect brand.
The list of mobile brands provided in the survey were :
The list of phone brands that was provided contained HTML code inside the parameter...
https://m.facebook.com/survey.php?incorrect_brand¶ms=[HTML code of Brands and Radio Buttons]
A remote user was able to add any brand Name and Radio buttons therefor allowing remote HTML injection. It was as simple as it sounds.
PoC Haider Sumbitted to Facebook:
Facebook replied and they acknowledged the issue
Facebook then replied after two months when they patched the vulnerability
They then emailed Haider regarding the eligibility of the bug bounty program and details for the bounty .