XSS in Facebook CDN due to improper filtering of uploaded files extensions

Description

This could allow an attacker to upload html files to Facebook CDNs. This happens because the uploading endpoint only checks for the Mime type supplied in “Content-Type” but not the file extension. This would result to a HTML file being uploaded to scontent.*.fbcdn.net CDNs.

Reproduction Steps

1) Login to https://www.facebookrecruiting.com/

2) Upload a html file named as file.pdf

3) Intercept the request and change the name from file.pdf to file.html and keep the content-type as application/pdf

4) You should get a URL to the uplaoded file in the request response

This is an example file: https://scontent.ftun3-1.fna.fbcdn.net/v/t39.29810-6/76190145_2675021082561187_2889406825675882491_n.jpg.html/h1.html?_nc_cat=101&_nc_oc=X&_nc_ht=scontent.ftun3-1.fna&oh=74e85a9cc7e9452c3e9bd3979028ce31&oe=5E541E53

Impact

The impact of this bug is limited since the XSS would be in the CDN domains however this could be used when exploiting other bugs like capturing a token since fbcdn.net subdomains are whitelisted in Linkshim.

Timeline

Nov 4, 2019— Report Sent 
Nov 5, 2019—  Acknowledged by Facebook
Nov 6, 2019— Fixed by Facebook
Nov 13, 2020 — $500 bounty awarded by Facebook.