Security researchers have uncovered two critical cross-site scripting (XSS) vulnerabilities in Meta’s Conversions API Gateway that could enable attackers to hijack Facebook accounts on a massive scale without any user interaction.
The flaws affect Meta-owned domains, including facebook.com and meta.com, as well as potentially 100 million third-party deployments of the open-source gateway infrastructure.
Understanding the Conversions API Gateway
The Meta Conversions API Gateway is a server-side solution that enables businesses to transmit web events and customer interaction data directly to Meta’s advertising platforms.
Unlike traditional browser-based tracking methods such as the Facebook Pixel, this gateway bypasses cookie restrictions and ad blockers by operating at the server level.
Meta provides the technology as both a hosted service at gw.conversionsapigateway.com and as open-source containerized software that companies can deploy on their own infrastructure.
The gateway delivers a critical JavaScript file, capig-events.js, to support conversion tracking.
This script executes automatically on Meta properties and thousands of third-party websites, making any vulnerability within it exceptionally dangerous from a supply-chain perspective.
The first flaw exists within the client-side capig-events.js script and stems from improper validation of postMessage origins.
When a page has an opener window, the script listens for configuration messages labeled IWL_BOOTSTRAP. Rather than verifying the message source against an allowlist, the code blindly trusts the event: origin value and stores it for later use.
This trusted origin is subsequently used to dynamically load another JavaScript file (iwl.js) from the attacker-controlled domain.
While Meta’s Content Security Policy (CSP) and Cross-Origin-Opener-Policy (COOP) appear to provide protection, researchers discovered multiple bypass techniques.
On logged-out Meta pages under the /help/ directory, CSP policies relax to permit third-party analytics domains.
A subdomain takeover or vulnerability on any CSP-allowed domain would allow attackers to host malicious scripts.
Additionally, within Facebook’s Android WebView environment, researchers exploited the window.name reuse combined with iframe hijacking to deliver the malicious postMessage.
This multi-step attack chain ultimately enables arbitrary JavaScript execution within the context of meta.com, allowing attackers to steal CSRF tokens and perform privileged operations, including changing email addresses and complete account takeover.
| CVE ID | Vulnerability Type | Affected Component | CVSS Score | Severity |
|---|---|---|---|---|
| CVE-2024-XXXXX | Client-Side XSS (Improper Origin Validation) | capig-events.js | 8.5 | High |
| CVE-2024-YYYYY | Stored XSS (Unsafe String Concatenation) | Gateway Backend (IWL Configuration) | 9.8 | Critical |
The second and more severe vulnerability resides in the gateway’s backend code.
When businesses create event matching rules through Meta’s IWL (Intelligent Web Logging) configuration tool, the backend generates portions of capig-events.js by concatenating user-supplied values without proper sanitization or escaping.
Analysis of publicly available source code revealed unsafe string concatenation in Java files, where JSON keys from API requests are concatenated directly into JavaScript output.
By injecting characters such as quotes and closing brackets, attackers can escape string context and insert arbitrary JavaScript code directly into the capig-events.js file served to all users.
This stored XSS vulnerability is particularly catastrophic because it does not require tricking individual users.
Once injected, the malicious payload executes automatically for every visitor loading the compromised script across Meta domains and authenticated Facebook sessions, as reported by Security Researcher Youssef Sammouda .
Because the Conversions API Gateway is open-source technology, the vulnerability extends far beyond Meta’s infrastructure.
Organizations worldwide have deployed the gateway at least 100 million times on their own domains, inheriting the same stored XSS weakness.
This supply-chain vulnerability meant that, within hours of exploitation, attackers could silently compromise millions of users across countless websites without any interaction or warning.
Both flaws highlight a fundamental security principle: analytics infrastructure cannot be treated as low-risk code when it operates as shared, trusted JavaScript across products, domains, and customers.
Small trust boundary failures in such systems can cascade into platform-wide security disasters, underscoring the importance of strict origin validation, defensive CSP design, and safe code-generation practices for modern web platforms.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.