My Story with Onavo (a Facebook's Acquisition)

- 1 min

When I was checking Facebook WhiteHat page, I realized that they added a new target on the scope, which is Onavo.

I downloaded their apps and started to intercept the links that I found.

One of the links raised an eye-brow. I said to myself that this looks vulnerable.

The link looks something like this: http://cf.onavo.com/iphone/mc/deactivate.html?url=/somethingthatIforget/&seed=1394953248

So it looks like it is vulnerable to Open Redirect.

I executed the link this: http://cf.onavo.com/iphone/mc/deactivate.html?url=http://bing.com&seed=1394953248.

It redirected me to http://bing.com.

Right now I have an Open Redirect vulnerability, but that’s not enough for me.

After digging up more on the nature of the page, I realized that it redirects me after about 2 seconds. So it looked something like this:

<meta http-equiv="refresh" content="0; url=http://bing.com/" />

So I changed it to issue a redirection to

javascript:alert(document.domain)
Reflected XSS

Timeline:

Rewards:

Final Thoughts:

Mazin Ahmed

Mazin Ahmed

Thoughts of an ethical hacker

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora