By rssfeeds-admin 
The flaws affect both Meta’s infrastructure and potentially millions of third-party deployments, exposing users across the internet to silent, interaction-free attacks.
Meta hosts its own deployment at gw.conversionsapigateway.com, which serves a critical JavaScript file named capig-events.js.
This script is automatically loaded by Meta’s fbq client-side JavaScript module. It executes on www.meta.com, business.facebook.com, developers.facebook.com, and numerous third-party customer websites.
Any vulnerability in this script inherits the security context of whatever site includes it, creating a supply-chain security risk.
Vulnerability Details
The first flaw exists entirely within the client-side capig-events.js script. When a page has an opener window present, the script registers a message event listener to receive configuration data.
The vulnerability emerges because the code fails to validate the origin of incoming postMessage events.
Instead of checking event.origin against an allowlist, the script blindly stores it. It later uses it to load another JavaScript file from that untrusted origin dynamically.
| Title | Affected Component |
|---|---|
| Client-Side XSS via Improper Origin Validation in Meta Conversion API | capig-events.js |
| Stored XSS via Unsafe String Concatenation in Meta Conversion API Gateway Backend | Gateway Backend (IWL Configuration) |
When a message with type IWL_BOOTSTRAP is received, the script verifies that the provided pixel_id exists in an internal list but does not verify the message’s origin.
The stored origin is then used to construct and load a script path, giving attackers complete control over the origin portion of the URL. This pattern transforms unvalidated origin data into arbitrary code execution.
While Content Security Policy (CSP) and Cross-Origin-Opener-Policy (COOP) appear to limit exploitation on most Meta pages, security researchers Youssef Sammouda identified bypass techniques.
Certain Meta pages in logged-out states, particularly under the /help/ directory, relax CSP to include third-party analytics providers.
A subdomain takeover, XSS, or file upload on any CSP-allowed third-party domain would be sufficient to host an attacker script.
Researchers also discovered that when executed inside Facebook’s Android WebView, window. name reuse combined with a window.open() allowed attacker-controlled pages to regain access to the opener object.
By exploiting a vulnerability in a third-party iframe component loaded by meta.com, attackers could hijack the iframe and send malicious postMessage payloads from within the trusted page context.
The second vulnerability resides in the gateway’s backend code and represents a more severe threat. Researchers discovered that the logic-generating portions of capig-events.js dynamically append user-configurable data without proper sanitization.
When users create IWL event rules and parameters through the gateway’s graphical interface, the backend constructs JavaScript strings by directly concatenating JSON values supplied in POST requests.
Analysis of the publicly available source code from Amazon ECR revealed that the AHPixelIWLParametersPlugin.java file generates JavaScript output by directly appending user-controlled values for domain_uri, event_type, extractor_config, extractor_type, and id parameters to the script without escaping.
By injecting a single quote or characters such as “]}, attackers can break out of the string context and inject arbitrary JavaScript code.
Unlike typical XSS attacks that require user interaction, this vulnerability enables attackers to execute JavaScript silently within authenticated browser sessions at scale.
Because the Conversions API Gateway is open-source technology, any organization deploying it and loading capig-events.js from their own gateway may also be vulnerable to the same stored XSS flaw.
Research indicates the application has been deployed at least 100 million times globally.
Organizations that host the script on their own domains are therefore exposed to the same security risks, potentially affecting users across countless websites worldwide.
In practical terms, attackers could have compromised millions of Facebook users within hours by targeting visitors to virtually any page on the internet that includes this script.
Because the vulnerable code executes in trusted Facebook and third-party contexts simultaneously, the attack surface is vast. It requires no user interaction or warning signs.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Exploiting XSS in Meta Conversion API for Zero-Click Account Takeover appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.