How to Bypass Facebook's HSTS

Hey everyone, this will be a quick post.

Facebook does not use HTTP Strict Transport Security (A header that tells the browser to only use HTTPS when communicating with the server) on subdomains of facebook.com. That means, if someone uses facebook in a different language, the browser will attempt to connect using HTTP first. An attacker can intercept that request and serve a different page, including a fake login one.

Here are a few images showing the process of stealing a victim's password:

Here's an example of someone accessing facebook.pl:

facebook.pl redirects to pl-pl.facebook.com, which is a subdomain of facebook.com. HTTP 301 means the page was moved, and the new location is given. In this case we are redirected to https://pl-pl.facebook.com, and attackers can no longer see data being sent.

If subdomains of facebook used HSTS, the browser would connect over HTTPS automatically, without needing a redirect.

Here, we are responding to a request for pl-pl.facebook.com with the contents of example.com:

The address bar still shows pl-pl.facebook.com, so the victim is none the wiser.

If we copy the facebook login page and put it on example.com:

...The victim is likely to log in, and the input is sent over HTTP.

If you live in an english-speaking country, the hard part will be to get your victim to connect to some subdomain of facebook.com. Otherwise, exploitation of this is trivial.

Feel free to ask in the comments about details, I was in a bit of a rush writing this.