Description
This could allow an attacker to upload html files to Facebook CDNs. This happens because the uploading endpoint only checks for the Mime type supplied in “Content-Type” but not the file extension. This would result to a HTML file being uploaded to scontent.*.fbcdn.net CDNs.
Reproduction Steps
1) Login to https://www.facebookrecruiting.com/
2) Upload a html file named as file.pdf
3) Intercept the request and change the name from file.pdf to file.html and keep the content-type as application/pdf
4) You should get a URL to the uplaoded file in the request response
This is an example file: https://scontent.ftun3-1.fna.fbcdn.net/v/t39.29810-6/76190145_2675021082561187_2889406825675882491_n.jpg.html/h1.html?_nc_cat=101&_nc_oc=X&_nc_ht=scontent.ftun3-1.fna&oh=74e85a9cc7e9452c3e9bd3979028ce31&oe=5E541E53
Impact
The impact of this bug is limited since the XSS would be in the CDN domains however this could be used when exploiting other bugs like capturing a token since fbcdn.net subdomains are whitelisted in Linkshim.
Timeline
Nov 4, 2019— Report Sent
Nov 5, 2019— Acknowledged by Facebook
Nov 6, 2019— Fixed by Facebook
Nov 13, 2020 — $500 bounty awarded by Facebook.