Before I continue, I want to first declare that this is a hypothetical scenario and that I did not actually exploit this on the internet. (I do not want my reader to think I am click-baiting)
Recently I got into online marketing and it certainly eye-opening to learn how people make a living out of online business.
They could be making money literally anywhere in the world and have the ability generate true passive income even when they are asleep.
Anyway, one of the more important take away is that Facebook have this little snipplet of script call Facebook pixel.
Think about it as Google Analytics but for Facebook.
It allows an online business to retarget using Facebook ads.
After inserting Facebook pixel, marketers usually have 2 phases.
The first phase is to drive traffic to their website in hope of converting the leads to sales.
And in the second phase they have two options.
- Retarget customers that have purchased an item or
- Retarget customers that have added an item to the cart but did not checkout.
Information Security Is Hard
I am into web application security and is always thinking of ways to explain a security flaw to someone non-technical.
Usually the explanation of XSS vulnerability consist of cookies stealing or defacement.
All of these ideas are pretty abstract and does not resonate well with a non-technical person.
So here goes another attempt in getting them to understand the severity of a persistent XSS.
As a business owner imagine someone were to inject their own Facebook pixel to your website.
An attacker is then able to retarget all of your audience that were converting to their own.
Remember in the beginning I mentioned about the first phase - to drive traffic?
Unless you are already ranking on Google, it is not cheap to drive traffic . So no business owner in the world is willing to let someone else retarget their customers.
Back to the mindset of an attacker.
Why would an attacker do this right?
If they could gain administrative access and deface a competitor’s site, why all these trouble?
The reason is simple. Its hard to detect.
How often do business owners check the elements of their websites?
Even if they do, they would probably overlook the fact that there is an extra Facebook pixel that should not be there.
Position of Security Consultants
I think the role of a security consultant is unique.
Business people needs to think in the shoes of their customers.
C-level executive needs to think in the shoes of their employees.
But as a security consultant, you need to put yourself in the shoes of both a developer and the website owner.
It is your job to not only find the vulnerability but also make it meaningful so that the receiving end understands the severity of the vulnerability.