The white hat hacker who goes online with the moniker “Samm0uda” discovered a critical CSRF vulnerability in Facebook and the social network giant paid a $25,000 bounty.
“This bug could have allowed malicious users to send requests with CSRF tokens to arbitrary endpoints on Facebook which could lead to takeover of victims accounts. In order for this attack to be effective, an attacker would have to trick the target into clicking on a link.” wrote the expert.
The flaw resides in the facebook.com/comet/dialog_DONOTUSE/, the hacker leveraged it to bypass CSRF protections and act on user’s behalf by tricking him into clicking a malicious URL.
“This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and make a POST request to that endpoint after adding the fb_dtsg parameter. Also this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL.” continues the expert.
“The vulnerable endpoint is:
https://www.facebook.com/comet/dialog_DONOTUSE/?url=XXXX where XXXX is the endpoint with parameters where the POST request is going to be made (the CSRF token fb_dtsg is added automatically to the request body).”
Samm0uda published PoC URLs that could allegedly be exploited to post something on a user’s timeline and delete their profile picture.
The flaw could have been exploited even to delete the account of a targeted user, but in this case, victims have to provide their password before the account is deleted.
The flaw could have also been exploited to take control of an account by using requests that would change the targeted user’s email address or phone number associated with the account. Once the attacker has added his email address or phone number to an account, he can start a password reset.
Of course, to take full control over a Facebook account the attacker could have used the flaw to times, the first time to replace the email address or phone number of the victims, and the second time for confirming the action.
The expert was also able to create a single link that allowed him to obtain the access token of the victims.
Below the timeline of the flaw:
Jan 26, 2019 — Report Sent
Jan 26, 2019— Acknowledged by Facebook
Jan 28, 2019 — More details sent
Jan 31, 2019— Fixed by Facebook
Feb 12, 2019 — $25,000 Bounty Awarded by Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – CSRF, hacking)
[adrotate banner=”5″] [adrotate banner=”13″]
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
A cyber attack has been disrupting operations at Synlab Italia, a leading provider of medical…
Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler…
A financially motivated group named GhostR claims the theft of a sensitive database from World-Check…
Researcher demonstrated how to exploit vulnerabilities in the Windows DOS-to-NT path conversion process to achieve…
This website uses cookies.