Critical XSS Vulnerabilities in Meta Conversion API Enable Zero-Click Account Takeover

Server‑side conversion tracking has become a cornerstone of digital advertising, allowing brands to bypass browser restrictions and feed reliable data directly to platforms like Meta. By moving the collection point from the client to the server, the Conversions API Gateway promises greater accuracy and privacy, but it also expands the attack surface. When a single JavaScript bundle such as capig‑events.js is shared across millions of sites, any flaw becomes a supply‑chain hazard, echoing past incidents where compromised analytics scripts silently harvested data at scale.

The first vulnerability exploits a lax origin check in the client‑side script. Attackers can craft a malicious postMessage that the gateway accepts without verification, then force the browser to load a hostile iwl.js from a controlled domain. Even Meta’s CSP and COOP headers can be sidestepped through relaxed policies on help pages or Android WebView quirks, granting arbitrary code execution in the context of meta.com. The second flaw is a classic stored XSS: backend code concatenates unsanitised user input into the generated JavaScript, allowing an attacker to embed malicious payloads that run for every visitor. Because the script is served to all authenticated sessions, the attack requires no clicks, enabling rapid, silent account hijacks.

For enterprises that have deployed the open‑source gateway, the risk is immediate. A compromised script could expose credentials, alter ad spend, or manipulate conversion data, undermining both security and business intelligence. Immediate mitigation includes patching the gateway, enforcing strict CSP directives, and auditing any custom IWL configurations for unsafe inputs. Longer‑term, the episode underscores the need for rigorous code‑generation hygiene and supply‑chain testing in analytics infrastructure, reminding the industry that even low‑profile utilities can become critical security choke points.