If you’re a security researcher in search of a fat bug bounty, Facebook must look like a good place to start your next hunt.
The site has suffered a lot of niggling security flaws in recent times, to which can now be added a new Cross Site Request Forgery (CSRF) protection bypass flaw that could have allowed an attacker to hijack a user’s account in several ways.
Discovered by researcher ‘Samm0uda’ in January, the problem centres around what is technically known as a vulnerable URL “endpoint”, in this case
facebook.com/comet/dialog_DONOTUSE/?url=XXXX. Explains the researcher:
This endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL.
CSRF attacks happen when an cybercriminal tricks the user into clicking on a malicious link that submits instructions to the vulnerable site that appear to come from the user’s browser.
All that is required for this to work is that the user must be authenticated (i.e. logged in) when this happens, although the victim remains unaware that anything untoward is happening.
The technique has been popular for years, which is why websites use anti-CSRF tokens that are reset every time there is a state-changing request.
In this case, the researcher was able to bypass this by adding the Facebook
fb_dtsg CSRF token to the POST request body as part of the compromise.
“In the blink of an eye”
A successful attack would allow an attacker to post to the hijacked user’s timeline, change their profile picture, and even trick them into deleting their account.
Admittedly, account takeover executed by changing the user’s recovery email address or phone number would be trickier as it requires the user to be lured to two URLs, one to make a change and another to confirm the action.
So to bypass this, I needed to find endpoints where the ‘next’ parameter is present so the account takeover could be made with a single URL.
That extra step is what eventually reduced Samm0uda’s bug bounty from $40,000 (for takeovers not requiring additional user interaction) to $25,000 (for ones that do).
On 31 January, five days after being reported to Facebook, the issue was fixed, the researcher said.
Facebook vulnerabilities have become a bit of a running theme, including a major breach affecting nearly 50 million account holders last September after attackers exploited a flaw to steal access tokens.
Not long after, a researcher reported how a Facebook user could make themselves admin on any Facebook Business Account.
Separately, a flaw-cum-leak was discovered last week by Nightwatch Cybersecurity in which an Android app with Facebook API access was allegedly “copying user data into storage outside of Facebook and storing it insecurely in two separate locations.”
As with the latest issue, fixing those would have earned their finders a nice fee. In fact, Facebook said in December it had paid out a mere $1.1 million in bounties during 2018, and $7.5 million since 2011.
Long live researchers!