Other blog posts

Facebook CSRF leading to full account takeover (fixed)

Written by Josip Franjković on October 18, 2013 in Security

Some cross site request forgeries are mere annoyance (like logout CSRF), some can be useful (example: changing name of user), and some - like the one I found - can be pretty devastating.

This bug has some similarities to Dan Melamed's findings.

To exploit this, you need a Facebook account, an Outlook.com (Hotmail) email, and a victim. The Outlook email must not be bound to your Facebook account.

Facebook has a feature to "Find contacts on Facebook" which invites contacts from your contact book, and ADDS email to your account.

When you approve Facebook to access Outlook's contact book, a GET request to

https://m.facebook.com/contact-importer/login/?api_instance=1&api_ver=wave5&auth_token=TOKEN

is made, which adds the email to your account.

Last valid token I got is:

{"code":"2c59ed24-8674-a76a-3232-6fse0d6d5cc7","redirect_uri":"https://www.facebook.com/accept_token.php?api_ver=wave5&csrf=AQDt6cT&
appdata={"use_case":1,"type":1,"flow":30,"domain_id":4,"tracked_params":"[]","enc_uid":"AdjjCVjSQ3I1RFRllRz81ohsy737W7oipkrAYKmCYISHLHcmzi55G4GaGckcSCP97t0",
"post_login_redirect":"https:\/\/m.facebook.com\/contact-importer\/login\/?api_instance=1&api_ver=wave5"}"}

Now, this request has no checks; you can repeat it as many times as you want.

The problem is, it works for OTHER users too.

So, the course of action to take over victim's account would be:

  1. Use "Find contacts on Facebook" from attacker account and log all requests
  2. Find /contact-importer/login request
  3. Remove added email from your (attacker) account
  4. Get the victim to somehow make the /contact-importer/login request (infinite possibilities here)
  5. Email is now added to victim's account, silently
  6. Use "Forgot your password" to take over the account

Here is a video demonstrating exploit:

Timeline:

  • 13. of August 2013, 07:00 - Bug reported
  • 13. of August 2013, 19:39 - Better PoC and video sent to Facebook team
  • 14. of August 2013, 01:00 - Facebook team replies
  • 14. of August 2013, 03:00 - Bug is fixed

I would like to thank Facebook's security team for running their bug bounty program, and for quickly patching this issue - it took them only 2 hours to roll out working patch.