Pakistani Student Rewarded by $500 USD for detecting HTML Injection Vulnerability in Facebook

Haider Mehmood Qureshi, an independent security researcher from Islamabad has been rewarded with $500 for detecting HTML Injection Vulnerability in Facebook. 

According to Haider, Facebook was vulnerable in HTML code, their are some serious Remote HTML injection. Remote User was able to add any brand Name and Radio buttons, hence allowing Remote HTML injection. It was as simple as it sounds. The issue can also cause adding junk/spam entries into the database.



Bug details:

Vulnerability title: HTML Injection
Vendor homepage: http://m.facebook.com
Remote/Local: Remote
Tested on: Windows 7 64 bit Firefox browser (but should have worked on other OS and browsers (not sure about IE))
Vulnerability Submitted on: 12/1/2013
Vulnerability Status: FIXED


Detail: Facebook mobile provides a survey to evaluate the mobile user experience as they surf Facebook mobile site. Here is the survey https://m.facebook.com/survey.php . While entering the mobile phone brands , it provides a list of brands in case you didn't type the correct brand.


The list that was provided contained their HTML code inside the parameter https://m.facebook.com/survey.php?incorrect_brand¶ms=[HTML code of Brands and Radio Buttons]
Remote User was able to add any brand Name and Radio buttons, hence allowing Remote HTML injection. It was as simple as it sounds. The issue can also cause adding junk/spam entries into the database.



Haider Mehmood Qureshi, BS Computer Sciences Student from Comsats Intitute of information technology Islamabad. Started learning pentesting/hacking in 2009. Initially was into defacing, later realized to make Pentesting/security auditing as my career. His Friends motivated him to go for bug bounties. 
Contact: haidermehmoodqureshi@yahoo.com