Bug bounties
Facebook CSRF leading to full account takeover (fixed)
Some cross site request forgeries are mere annoyance (like logout CSRF), some can be useful (example: changing name of user), and some - like the one I found - can be pretty devastating.
This bug has some similarities to Dan Melamed's findings (archive.org link).
To exploit this, you need a Facebook account, an Outlook.com (Hotmail) email, and a victim. The Outlook email must not be bound to your Facebook account.
When you approve Facebook to access Outlook's contact book, a GET request to
https://m.facebook.com/contact-importer/login/?api_instance=1&api_ver=wave5&auth_token=TOKEN
is made, which adds the email to your account. This request has no checks; you can repeat it as many times as you want.
The problem is, it works for OTHER users too.
So, the course of action to take over victim's account would be:
-
Use "Find contacts on Facebook" from attacker account and log all requests
-
Find the /contact-importer/login request
-
Remove added email from your (attacker) account
-
Get the victim to somehow make the /contact-importer/login request (infinite possibilities here)
-
Email is now added to victim's account, silently
-
Use "Forgot your password" to take over the account
Click here for a video demonstrating the vulnerability.
Timeline:
-
August 13, 2013, 07:00: Bug reported
-
August 13, 2013, 19:40: Better PoC and video sent to Facebook team
-
August 14, 2013, 01:00: Facebook team replies
-
August 14, 2013, 03:00: Bug is fixed
I would like to thank Facebook's security team for running their bug bounty program, and for quickly patching this issue - it took them only 2 hours to roll out working patch.
Random blog post
Bug bounties
Hacking Facebook accounts using CSRF in Oculus-Facebook integration
Read more
Josip Franjković
web security consultant
I enjoy breaking websites and participating in various bug bounty programs.