The white hat hacker who goes online with the moniker “Samm0uda” discovered a critical CSRF vulnerability in Facebook and the social network giant paid a $25,000 bounty
“This bug could have allowed malicious users to send requests with CSRF tokens to arbitrary endpoints on Facebook which could lead to
The flaw resides in the facebook.com/comet/dialog_DONOTUSE/, the hacker leveraged it to bypass CSRF protections and act on user’s behalf by tricking him into clicking a malicious URL.
“This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and
“The vulnerable endpoint is:
https://www.facebook.com/comet/dialog_DONOTUSE/?url=XXXX where XXXX is the endpoint with parameters where the POST request is going to be made (the CSRF token fb_dtsg is added automatically to the request body).”
Samm0uda published PoC URLs that could allegedly be exploited to post something on a user’s timeline and delete their profile picture.
The flaw could have been exploited even to delete the account of a targeted user, but in this case, victims have to provide their password before the account is deleted.
The flaw could have also been exploited to take control of an account by using requests that would change the targeted user’s email address or phone number associated with the account. Once the attacker has added his email address or phone number to an account, he can start a password reset.
Of course, to take full control over a Facebook account the attacker could have used the flaw to times, the first time to replace the email address or phone number of the victims, and the second time for confirming the action.
The expert was also able to create a single link that allowed him to obtain the access token of the victims.
Below the timeline of the flaw:
Jan 26, 2019 — Report Sent
Jan 26, 2019— Acknowledged by Facebook
Jan 28, 2019 — More details sent
Jan 31, 2019— Fixed by Facebook
Feb 12, 2019 — $25,000 Bounty Awarded by Facebook