Full Report
Facebook is used by almost everybody. Being able to see who is logged in can allow for targeted attacks, account takeovers, and employee profiling. This article dives into several techniques they used to de-anonymize users. The first issue occurs in Zoom callbacks in Facebook Workspace. When supplying the __cid and __user, an attacker can brute force the user ID of the Workplace community. If __user is correct, then an empty page with text/html is returned. If it's incorrect, the response in application/json, which will trigger CORB and block script execution. By observing onload and onerror events, it's possible to determine the user id of the logged-in user. When embedding a Facebook plugin, such as the Like plugin, inside of an iframe, the rendering is different depending on the supplied user ID. If the __user is correct, everything renders as normal. If it's incorrect, then X-Frame-Options: Deny is returned, preventing the iframe from loading. This distinction allows brute-forcing the active sure or page ID by observing postMessage events rather than a timeout. The endpoint https://www.facebook.com/signals/iwl.js?pixel_id=PIXEL_ID returns a JavaScript payload intended for internal Meta Pixel testing, including the Facebook user ID. This value is scoped inside a function. But by manipulating JavaScript prototypes before loading the script, it can still be extracted. Their PoC modifies the function prototype and prints the user ID of the object. Apparently, the script runs within the full context of your page, allowing for the reading of the data still. Neat! They got 2.4K for the previous two bugs and 3.6K for the third bug. Good work by the author!
Analysis Summary
# Vulnerability: Multiple Cross-Site Leaks (XS-Leaks) Disclosing Meta User Identities
## CVE Details
- **CVE ID:** Not assigned (Directly disclosed via Bug Bounty program)
- **CVSS Score:** N/A (Estimated Medium: 4.3 - 6.1)
- **CWE:** CWE-200: Exposure of Sensitive Information to an Unauthorized Actor; CWE-346: Origin Validation Error
## Affected Systems
- **Products:** Facebook, Workplace by Meta, Meta for Work, and internal Meta subdomains.
- **Versions:** All web-based versions prior to the May 2025 patches.
- **Configurations:** Users logged into Meta platforms while visiting a malicious or compromised third-party website.
## Vulnerability Description
Techniques discovered by researcher Youssef Sammouda allow third-party sites to deanonymize visitors by exploiting Cross-Site Leak (XS-Leak) primitives:
1. **Workplace Callback Brute-force:** The Zoom callback endpoint at `work-api.workplace.com` responds with different Content-Types based on whether a provided User ID (`__user`) matches the session. Correct IDs return `text/html` (loads as script), while incorrect IDs return `application/json` (blocked by CORB), allowing ID discovery via `onload`/`onerror` events.
2. **Facebook Plugin Oracle:** Embedding a Facebook "Like" plugin iframe with a candidate `__user` ID. Correct IDs allow the iframe to load and send a `postMessage`. Incorrect IDs trigger an `X-Frame-Options: Deny` header, blocking the load and preventing the message.
3. **Prototype Pollution in Meta Pixel:** The `signals/iwl.js` script reflects the user's ID inside a function. By modifying the `Function.prototype` on the attacker's page before the script loads, the ID can be intercepted and extracted directly.
4. **Internal Subdomain Probing:** Internal subdomains (e.g., `sb.facebook.com`) leak employee-specific identifiers (Unix usernames/emails) via subdomain-based routing.
## Exploitation
- **Status:** PoC available; addressed by vendor.
- **Complexity:** Low to Medium (requires basic brute-forcing or JS prototype manipulation).
- **Attack Vector:** Network (Web-based via cross-origin requests).
## Impact
- **Confidentiality:** High (Disclosure of unique User IDs, Workplace community membership, and Meta employee status).
- **Integrity:** None.
- **Availability:** None.
## Remediation
### Patches
- **Meta Platform Updates:** Meta deployed server-side fixes on May 22, 2025, to normalize responses and implement stricter validation on the affected endpoints.
### Workarounds
- **Browser Security:** Users can utilize privacy-focused browsers or extensions that block cross-site tracking and "social" widgets.
- **Site Isolation:** Modern browser features like `Cross-Origin-Read-Blocking (CORB)` and `Cross-Origin-Opener-Policy (COOP)` provide some defense against these classes of leaks.
## Detection
- **Indicators of Compromise:** High-frequency script loading or iframe generation targeting `facebook.com` or `workplace.com` endpoints with varying `__user` parameters.
- **Detection Methods:** Web Application Firewalls (WAF) can monitor for unusual cross-origin requests targeting internal Meta Pixel or plugin endpoints.
## References
- **Researcher Blog:** hxxps[://]ysamm[.]com/
- **Facebook Plugin Endpoint:** hxxps[://]www[.]facebook[.]com/plugins/like[.]php
- **Meta Pixel Testing Script:** hxxps[://]www[.]facebook[.]com/signals/iwl[.]js?pixel_id=PIXEL_ID
- **Workplace API:** hxxps[://]work-api[.]workplace[.]com/zoom/callback/