Discovered 2 new Facebook vulnerabilities

The Security researcher Dan Melamed has found two new Facebook vulnerabilities related to the Fanpage Invite of the popular social network.

Security researcher Dan Melamed has found 2 new Facebook vulnerabilities that has been recently patched and that I decided to shows you to understand the infinite possibilities an attacker have to hit also a robust platform like FB.

The Facebook vulnerabilities are considerable a medium-severity bug and allow an attacker to invite any user to like a Facebook Fanpage. Dan Melamed has found 2 Facebook vulnerabilities within the Facebook Fan Page:

A Facebook Fanpage Invite Exploit to invite any Facebook user to like a Fanpage even if they are not my friend
A Cross Site Request Forgery (CSRF) flaw

As explained by Dan a spammer could design a bot to collect a multitude of Facebook ID and spam them with invites to like his fanpage, but what is very interesting is that due the CSRF the invites to be sent on behalf of another user who simply visits a malicious website. Following the Facebook flaw described by the researcher.

“To reproduce this flaw, you first visit a link with the ID of the page you want to invite friends to: https://x.facebook.com/send_page_invite/?pageid=583584051694359You will see a list of your friends to invite. When clicking to invite someone, you change the invitee_id parameter in the HTTP request to another Facebook user id that belongs to someone who is not in your friends list.”The CSRF flaw was that the request was using the GET method without any anti-csrf tokens:http://x.facebook.com/a/send_page_invite/?invitee_id=4&page_id=583584051694359Visiting the link above would invite Mark Zuckerberg (profile id: 4) to like your fanpage.”

Following the video of the Poc:

Excellent the reply of the Facebook security team that fixed the Facebook vulnerabilities, after the fix was applied the link requires a POST method which includes the fb_dtsg token preventing to send invites to people who are not on attacker friends list.

“Depending on the target user’s notification settings, the invite would either appear in their notifications or under the “Like Pages” tab and it usually sends out an email informing the user that they were invited to like the fanpage.”

The rapid diffusion of social networks and the impressive amount of information they manage makes these platforms privileged targets of hackers and cybercriminals, every single feature could be exploited so it’s crucial a rapid incident response of internal security.

Pierluigi Paganini

(Security Affairs – Social network , Facebook Vulnerabilities)