Pierluigi Paganini
August 09, 2013
Security researcher Dan Melamed has found 2 new Facebook vulnerabilities that has been recently patched and that I decided to shows you to understand the infinite possibilities an attacker have to hit also a robust platform like FB.
The Facebook vulnerabilities are considerable a medium-severity bug and allow an attacker to invite any user to like a Facebook Fanpage. Dan Melamed has found 2 Facebook vulnerabilities within the Facebook Fan Page:
“To reproduce this flaw, you first visit a link with the ID of the page you want to invite friends to: https://x.facebook.com/send_page_invite/?pageid=583584051694359You will see a list of your friends to invite. When clicking to invite someone, you change the invitee_id parameter in the HTTP request to another Facebook user id that belongs to someone who is not in your friends list.”The CSRF flaw was that the request was using the GET method without any anti-csrf tokens:http://x.facebook.com/a/send_page_invite/?invitee_id=4&page_id=583584051694359Visiting the link above would invite Mark Zuckerberg (profile id: 4) to like your fanpage.”
“Depending on the target user’s notification settings, the invite would either appear in their notifications or under the “Like Pages” tab and it usually sends out an email informing the user that they were invited to like the fanpage.”
