According to reports, Facebook has just paid a $25,000 reward to a white hat hacker who found a critical cross-site request forgery (CSRF). If you’re wondering what warranted this payday, you need to know the implications of CSRF to realize that this was a big discovery.
According to Facebook, if the CSRF continued operating without detection it would have made user accounts vulnerable to hackings of the worst kind.
All an attacker needed to do was send requests loaded with CSRF tokens to random Facebook endpoints. That would have allowed them to access user accounts and do with them as they pleased. But, the attacker would have to trick their victim into clicking on a link first, which can be done through the facebook.com/comet/dialog_DONOTUSE/ loophole. This weak spot would also enable the attacker to easily bypass CSRF protections, giving them full impunity to play God with user accounts.
How Does It Work?
The attacker would select a Facebook endpoint upon which to make a POST request. This came after adding fb_dtsg parameter, and since the selected endpoint is under the www.facebook.com main domain, it became easy for attackers to leverage their access to the URL and the weakness it exposed.
Just in case you were curious, the exposed endpoint is; https://www.facebook.com/comet/dialog_DONOTUSE/?url=XXXX where XXXX. It’s through this endpoint that the hacker can make the POST request undetected.
The request body would do the rest of the job by automatically adding the fb_dtsg CSRF token.
The white hacker who discovered this trick goes by the name Samm0uda, and he went on to develop and publish PoC URLs that showed users how their accounts would’ve been vulnerable to attack. According to him, a hacker could’ve easily used the vulnerability to log in to a user’s account, change their profile picture, post on their timeline etc.
The only protection the victim had was against deletion of their account because Facebook requires you to provide your password in order for that to happen. However, the attacker could’ve easily bypassed this security measure by changing the targeted user’s phone number or email address so they could reset the password.
This means the attacker would have to leverage the flaw a couple of times, once to change the victim’s email address and the second time to respond to the confirmation prompt.
The attacker would also be able to develop a single link that enables them to get the victim’s access token, thus further entrenching their control over the account.
Judging by the timeline below, Facebook was swift in its response to the exploit. They awarded the hacker who discovered it in less than a month which will hopefully encourage others to blow the whistle whenever they discover a similar vulnerability on the network.
Here’s a timeline of the flaw:
- Jan 26, 2019: Samm0uda discovered the flaw and reported it to Facebook.
- Jan 26, 2019: Facebook acknowledged Samm0uda’s report.
- Jan 28, 2019: Samm0uda sent more details of the flaw to the tech giant.
- Jan 31, 2019: Facebook fixed the flaw.
Feb 12, 2019: Facebook awarded Samm0uda with a $25,000 reward for his discovery.