Facebook pays $25,000 to security researcher for discovering CSRF exploit that leads to stealing accounts
A security researcher discovered a fatal cross-site request forgery (CSRF) vulnerability that would allow hackers to takeover Facebook accounts by simply forcing the victim to click on the malicious link.
The cybersecurity expert who goes by the pseudonym “Samm0uda” discovered a vulnerability after noticing an exposed endpoint (facebook.com/comet/dialog_DONOTUSE/), which could be exploited to bypass the CSRF protections and perform various actions on behalf of the victim.
“This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and makes a POST request to that endpoint after adding the fb_dtsg parameter. Also this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL,” the researcher says on his blog.
“The vulnerable endpoint is:
https://www.facebook.com/comet/dialog_DONOTUSE/?url=XXXX where XXXX is the endpoint with parameters where the POST request is going to be made (the CSRF token fb_dtsg is added automatically to the request body).”
The researcher discovered that through the bug it was not only possible to post on the timeline of targeted Facebook users’ accounts, but also delete their profile images and trick them into deleting their accounts. In the latter case, for a successful attack, the attacker will need to force the user to enter his password.
The flaw could have also been exploited to take control of an account using requests that would change the email address or mobile number related to the victim’s account. If an attacker is successful in adding his email address or phone number, he can use the password reset function to set a new password and block the original owner from accessing the account.
This would require some effort on the part of the attacker to exploit the vulnerability, as he will need to force the user to follow two separate links – one to add the email or phone number and another one to confirm it. However, the expert was able to create a single URL link that allowed him to obtain the access token of the victims.
Samm0uda informed about his findings to Facebook on January 26, 2019. The social media giant acknowledged the issue and fixed the problem on January 31, 2019. Facebook awarded a $25,000 bounty to the researcher as part of the company’s bug bounty program.
You can read more about Samm0uda’s findings here.