A security Researcher Frans Rosén has discovered Cross Site Scripting vulnerability in Facebook and DropBox.
Initially , the researcher was working on finding security flaws on DropBox. He noticed that when using their web interface there were some restrictions on what filenames that were allowed. He tried to rename the file with '"><img src=x onerror=alert(document.domain)>.txt But he got error message that some special characters are not allowed.
"But, if you instead, connected a local directory, created a file there and synced it, you got it inside Dropbox without any problems."The researcher explained in his blog. "Using this method I was able to find two issues with their notification messages showing unescaped filenames."
He notified DropBox about the vulnerability and they have successfully patched the flaw.
After some time, he noticed that there is connection between DropBox and Facebook. You can add files directly from DropBox to your Facebook groups. So he was curious to test the vulnerability in Facebook also.
In his Facebook group, he tried to add the previously uploaded file in the DropBox. After he posted in the group, the xss attack didn't work. But when he clicked the 'Share' link in the post, he got alert message. Yes, Successfully, he managed to run the Script in Facebook. The XSS also worked when he shared the crafted pin from the Pinterest.
Researcher got $3,500 USD bug bounty for notifying the vulnerability, facebook fixed the vulnerability now.