Facebook CSRF leading to full account takeover (fixed)
Some cross site request forgeries are mere annoyance (like logout CSRF), some can be useful (example: changing name of user), and some - like the one I found - can be pretty devastating.
This bug has some similarities to Dan Melamed's findings (archive.org link).
To exploit this, you need a Facebook account, an Outlook.com (Hotmail) email, and a victim. The Outlook email must not be bound to your Facebook account.
When you approve Facebook to access Outlook's contact book, a GET request to
is made, which adds the email to your account. This request has no checks; you can repeat it as many times as you want.
The problem is, it works for OTHER users too.
So, the course of action to take over victim's account would be:
Use "Find contacts on Facebook" from attacker account and log all requests
Find the /contact-importer/login request
Remove added email from your (attacker) account
Get the victim to somehow make the /contact-importer/login request (infinite possibilities here)
Email is now added to victim's account, silently
Use "Forgot your password" to take over the account
Click here for a video demonstrating the vulnerability.
August 13, 2013, 07:00: Bug reported
August 13, 2013, 19:40: Better PoC and video sent to Facebook team
August 14, 2013, 01:00: Facebook team replies
August 14, 2013, 03:00: Bug is fixed
I would like to thank Facebook's security team for running their bug bounty program, and for quickly patching this issue - it took them only 2 hours to roll out working patch.
Random blog post