XSS in Facebook CDN through AR Studio Effects

AR Studio Effects
AR Studio Effects

AR Studio Effects

When I’m browsing the Facebook newsletter, I have found that they have made a new addition, AR Studio Effects ( https://www.facebook.com/fbcameraeffects/home/ ).

The fact that the developers upload to Facebook will increase the effect of the camera. In a screen-cast effect upload the false page is false. The last point does not check the content or file extension, which allows the attacker to change the .html extension with the harmful JavaScript and it will run in the Facebook CDN.


1) Navigate to https://www.facebook.com/fbcameraeffects/home/

2) Click on Upload AR Studio Effect

3) Scroll to the bottom until you find the section for uploading a “Screencast”

4) Proceed to upload a valid mp4 file

5) Turn on an html interceptor like burp suite and capture the upload request made to /fbcameraeffects/ar_effect/screencast_upload/

6) Change the filename extension from .mp4 to .html

7) Change the file contents to malicious code


Please enter your comment!
Please enter your name here