Categories: Hacking

Discovered 2 new Facebook vulnerabilities

Discovered 2 new Facebook vulnerabilitiesDiscovered 2 new Facebook vulnerabilities

The Security researcher Dan Melamed has found two new Facebook vulnerabilities related to the Fanpage Invite of the popular social network.

Security researcher Dan Melamed has found 2 new Facebook vulnerabilities that has been recently patched and that I decided to shows you to understand the infinite possibilities an attacker have to hit also a robust platform like FB.

The Facebook vulnerabilities are considerable a medium-severity bug and allow an attacker to invite any user to like a Facebook Fanpage. Dan Melamed has found 2 Facebook vulnerabilities within the Facebook Fan Page:

  1. A Facebook Fanpage Invite Exploit to invite any Facebook user to like a Fanpage even if they are not my friend
  2. A Cross Site Request Forgery (CSRF) flaw
As explained by Dan a spammer could design a bot to collect a multitude of Facebook ID and spam them with invites to like his fanpage, but what is very interesting is that due the CSRF the invites to be sent on behalf of another user who simply visits a malicious website. Following the Facebook flaw described by the researcher.

“To reproduce this flaw, you first visit a link with the ID of the page you want to invite friends to: https://x.facebook.com/send_page_invite/?pageid=583584051694359You will see a list of your friends to invite. When clicking to invite someone, you change the invitee_id parameter in the HTTP request to another Facebook user id that belongs to someone who is not in your friends list.”The CSRF flaw was that the request was using the GET method without any anti-csrf tokens:http://x.facebook.com/a/send_page_invite/?invitee_id=4&page_id=583584051694359Visiting the link above would invite Mark Zuckerberg (profile id: 4) to like your fanpage.”

Following the video of the Poc:
Excellent the reply of the Facebook security team that fixed the Facebook vulnerabilities, after the fix was applied the link requires a POST method which includes the fb_dtsg token preventing to send invites to people who are not on attacker friends list.
“Depending on the target user’s notification settings, the invite would either appear in their notifications or under the “Like Pages” tab and it usually sends out an email informing the user that they were invited to like the fanpage.”
The rapid diffusion of social networks and the impressive amount of information they manage makes these platforms privileged targets of hackers and cybercriminals, every single feature could be exploited so it’s crucial a rapid incident response of internal security.
Pierluigi Paganini
(Security Affairs – Social network , Facebook Vulnerabilities)
Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Published by
Pierluigi Paganini
Tags: CybercrimeexploitFacebookFacebook vulnerabilitiesHackingsocial networks
12 years ago

Recent Posts

Victoria’s Secret ‘s website offline following a cyberattack

Victoria’s Secret took its website offline after a cyberattack, with experts warning of rising threats…

51 minutes ago

China-linked APT41 used Google Calendar as C2 to control its TOUGHPROGRESS malware

Google says China-linked group APT41 controlled malware via Google Calendar to target governments through a…

4 hours ago

New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.

GreyNoise researchers warn of a new AyySSHush botnet compromised over 9,000 ASUS routers, adding a…

9 hours ago

Czech Republic accuses China’s APT31 of a cyberattack on its Foreign Ministry

The Czech government condemned China after linking cyber espionage group APT31 to a cyberattack on…

22 hours ago

New PumaBot targets Linux IoT surveillance devices

PumaBot targets Linux IoT devices, using SSH brute-force attacks to steal credentials, spread malware, and…

1 day ago

App Store Security: Apple stops $2B in fraud in 2024 alone, $9B over 5 years

Apple blocked over $9B in fraud in 5 years, including $2B in 2024, stopping scams…

1 day ago