Facebook paid $25,000 for CSRF exploit that leads to Account Takeover

Facebook paid a $25,000 bounty for a critical cross-site request forgery (CSRF) vulnerability that could have been exploited to hijack accounts simply by tricking users into clicki on a link.

The white hat hacker who goes online with the moniker “Samm0uda” discovered a critical CSRF vulnerability in Facebook and the social network giant paid a $25,000 bounty.

“This bug could have allowed malicious users to send requests with CSRF tokens to arbitrary endpoints on Facebook which could lead to takeover of victims accounts. In order for this attack to be effective, an attacker would have to trick the target into clicking on a link.” wrote the expert.

The flaw resides in the facebook.com/comet/dialog_DONOTUSE/, the hacker leveraged it to bypass CSRF protections and act on user’s behalf by tricking him into clicking a malicious URL.

“This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and make a POST request to that endpoint after adding the fb_dtsg parameter. Also this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL.” continues the expert.

“The vulnerable endpoint is: 
https://www.facebook.com/comet/dialog_DONOTUSE/?url=XXXX where XXXX is the endpoint with parameters where the POST request is going to be made (the CSRF token fb_dtsg is added automatically to the request body).”

Samm0uda published PoC URLs that could allegedly be exploited to post something on a user’s timeline and delete their profile picture.

The flaw could have been exploited even to delete the account of a targeted user, but in this case, victims have to provide their password before the account is deleted.

The flaw could have also been exploited to take control of an account by using requests that would change the targeted user’s email address or phone number associated with the account. Once the attacker has added his email address or phone number to an account, he can start a password reset.

Of course, to take full control over a Facebook account the attacker could have used the flaw to times, the first time to replace the email address or phone number of the victims, and the second time for confirming the action.

The expert was also able to create a single link that allowed him to obtain the access token of the victims.

Below the timeline of the flaw:

Jan 26, 2019 — Report Sent
Jan 26, 2019—  Acknowledged by Facebook
Jan 28, 2019 —  More details sent
Jan 31, 2019— Fixed by Facebook
Feb 12, 2019 — $25,000  Bounty Awarded by Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CSRF, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]