How To: Bypass Facebook's HSTS

Bypass Facebook's HSTS

How to Bypass Facebook's HSTS

Hey everyone, this will be a quick post.

Facebook does not use HTTP Strict Transport Security (A header that tells the browser to only use HTTPS when communicating with the server) on subdomains of facebook.com. That means, if someone uses facebook in a different language, the browser will attempt to connect using HTTP first. An attacker can intercept that request and serve a different page, including a fake login one.

Here are a few images showing the process of stealing a victim's password:

Here's an example of someone accessing facebook.pl:

Image via imgur.com

facebook.pl redirects to pl-pl.facebook.com, which is a subdomain of facebook.com. HTTP 301 means the page was moved, and the new location is given. In this case we are redirected to https://pl-pl.facebook.com, and attackers can no longer see data being sent.

If subdomains of facebook used HSTS, the browser would connect over HTTPS automatically, without needing a redirect.

Here, we are responding to a request for pl-pl.facebook.com with the contents of example.com:

Image via imgur.com

The address bar still shows pl-pl.facebook.com, so the victim is none the wiser.

If we copy the facebook login page and put it on example.com:

Image via imgur.com

...The victim is likely to log in, and the input is sent over HTTP.

If you live in an english-speaking country, the hard part will be to get your victim to connect to some subdomain of facebook.com. Otherwise, exploitation of this is trivial.

Feel free to ask in the comments about details, I was in a bit of a rush writing this.

21 Comments

If I am not mistaken, this is a problem on Facebook's side. If you reported this you might've gotten a bug bounty!

-Phoenix750

I actually reported this yesterday (08.03.2016). They responded with this:

Thanks for this report. The lack of HSTS on a given site is really more of a defense-in-depth issue rather than a discrete security vulnerability. While this might get changed at some point in the future, it's not a significant enough security risk to be rewarded via the bug bounty program. Sorry! Good luck with your bug hunting!

Are they for real? This clearly forms a security threat! UGH, I'll never understand how such large corporations can be SO careless!

-Phoenix750

I also find this strange. This is a pretty big vulnerability and fixing it would be as simple as adding "include subdomains" in the HSTS header.

The mobile link, m.facebook.com, also used to be vulnerable for some time. Why they added HSTS to mobile but not the others is beyond me.

too many other things on their plate probably. in my experience the higher ups care more about feature upgrades than security.

I am going to assume they have some sort of requirements for the security flaws that they have to meet, before they'll act on them.

Wasn't this how that guy from the other day hacked Facebook? He exploited multiple vulnerabilities in the sub-domains to bruteforce passwords.

If you reset your facebook password, you get sent a code, which you input into a dialog and then change your password. The guy discovered that if you use beta.facebook.com, you can try codes over and over, while in normal facebook you can only try around 10 times.

But both that and your vulnerability are on subdomains only. Perhaps we have found a vulnerability goldmine in subdomains?

-Phoenix750

Probably a coincidence. But it might be worth it to look further into subdomains.

Good idea.

Good find Joe, this is a fully fledged security hole! I don't understand why they didn't issue a bug bounty, but regardless great job!

Cheers,
Washu

I didnt get it, how did u uptain their password right before it changed to https?

What did u use?

When a victim requests some subdomain of facebook.com, such as pl-pl.facebook.com in our case, they don't have a secure connection straight away - they must be redirected first.

Here, I used a proxy server to change any requests to facebook to a phishing page. Hence, the victim can't connect to facebook, and can't be redirected to HTTPS by it.

Once on the phishing page, the victim logs in, and the credentials are sent in cleartext.

This is an awesome vulnerability to look at.
It would be super interesting if you went more in depth
with how to set up the phishing page and the tools required
to do so.

All the best,
Cameron

Thanks, I'll write a more detailed tutorial in the near future.

Hi! Thanks for the post. How's looking about detailed tutorial you mentioned above? I'd be really glad for it. Thanks :)

Its a shame that facebook is not pushing to add support for DNSSEC :(

Very nice find!! It's a shame that Facebook won't recognize the severity of this vulnerability though. Thanks for posting your find nonetheless, Facebook subdomains here we come!

Just tried it and it looks like it's automatically directing you to the correct facebook site.

Great Work there!!!!!
Still works like a charm
thanks.

Share Your Thoughts

  • Hot
  • Latest