Tuesday, May 17, 2016

How I bypassed Facebook CSRF once again!


  10 comments





I found a vulnerability in Facebook that allowed me to create arbitrary form in Facebook that send a POST request with CSRF token to any Facebook endpoints or external hosts!

It was very similar to this bug which I found in 2015.



'fb_dtsg' Anti-CSRF token supposed to get validated at server-side
and if an action request doesn't that token, Facebook will drop the request without any process on it!
( not all actions, you may find some of them ;-) )

I found this vulnerability in  Continued Flow section of  Lead Ads!


A continued flow lead ad means the final step is completed on the advertiser's website. The lead ad will collect all of the data provided and pass it to a destination URL using a hash or POST request. This is valuable for flows where you need data that Facebook is unwilling to collect (e.g. passwords for creating an account).


Root Cause

Facebook's post method was used in continued flow and in the method, fb_dtsg added to every request.

Scenario


So we need to create a continued flow lead ad and according to the document this is only available to whitelisted users.
But I bypassed this restriction with a simple trick.

Whenever a user creates lead ad form, a JSON object contains data were sent to create endpoint.
Fortunately I found another endpoint to get created forms as JSON and then I saw these keys:


form JSON


I added these keys to frombuilder json with modified values, form created with continued flow.
There was no server side check ...

For example disable timeline review action:
Endpoint URL: https://facebook.com/ajax/settings/timeline/review.php  
Body: tag_approval_enabled=0
Final URL: https://facebook.com/ajax/settings/timeline/review.php?tag_approval_enabled=0&__a=1


Finally I tested it with Facebook Tools and it worked!

POC: 

YouTube removed the original video due a unknown reason!
So I moved my videos to Facebook :)




Fun Part: 

When custom field name was fb_dtsg  ... :D


Timeline: 

  •  Mar 29 2016 "Like last year ;)" : Initial report
  •  Apr  06 2016 : Requested more info
  •  Apr  06 2016 : More details sent
  •  Apr  07 2016 : Bug acknowledged by security team
  •  Apr  07 2016 : Fun part sent!
  •  Apr  12 2016 : Bug fixed
  •  Apr  13 2016 : Facebook security team rewarded me with a $7,500.
  •  Apr  18 2016 : More info about whitelist sent
  •  May 06 2016 : Second bug fixed

10 comments :

  1. Nice find once again! Congrats bro :)

    ReplyDelete
  2. سلام. آقای دارابی شما تست نفوذ برای یک شرکت معتبر در ایران انجام میدین؟

    ReplyDelete
  3. I DONT KNOW WHAT YOU HAVE BEEN THROUGH OR HOW LONG YOU HAVE BEEN LOOKING BUT THIS IS THE LAST STOP AS THERE IS A HACKER WHO CAN HELP YOU WITH SPY WARE ON YOUR CHEATING PARTNER OR UPGRADE YOUR SCHOOL SCORES OR HELP WITH RESULT AND CLEAR ANY CRIMINAL RECORD..

    HACKING OF FACEBOOK , EMAIL , AND BANK ACCOUNTS ARE HIS SPECIALTY.. EMAIL : [email protected] OR SKYPE:SATISH.ANCHAN4

    BEST EVER

    ReplyDelete
  4. I'm hoping you keep writing like this. I love how careful and in depth you go on this topic. Keep up the great work facebook video downloader

    ReplyDelete
  5. Wow, What a Excellent post. I really found this to much informatics. It is what i was searching for.I would like to suggest you that please keep sharing such type of info.Thanks browse around this site

    ReplyDelete