Vulnerability would have allowed an attacker to take control of an account by simply clicking a link
Facebook has just granted a $25k USD reward for
the report of critical cross-site request forgery vulnerability. According to
network security specialists from the International Institute of Cyber
Security, the vulnerability could have been exploited to hijack social network
accounts; the attacker only needed to trick the victim into clicking on a specially
crafted link.
The white hat hacker known in the community as “Samm0uda”
was responsible for reporting the flaw to the social network, which granted the
considerable amount for his report.
“The vulnerability could have allowed malicious
users to send requests with counterfeit tokens to arbitrary endpoints on
Facebook, so it was possible to take control of the victim’s account. The
victims just had to click on a link”, added the network
security specialist.
“Exploiting this vulnerability is possible due
to a vulnerable endpoint that takes another Facebook endpoint selected by the
attacker along with the parameters and performs a POST request to that endpoint
after adding the FB_DTSG parameter. In addition, this endpoint is under the
www.facebook.com main domain, making it very easy for attackers to trick
victims into that URL”, added Samm0uda.
The network security expert published the URL
of his proof of concept, which could be exploited to post anything on the
victim’s timeline, or even change his profile photo. The vulnerability might
even have been exploited to remove a Facebook account, although victims would
have to have provided their password to the platform before completing the
account deletion process.
If not enough, the vulnerability would also
have been exploited to reset the password of an account by changing the email
address or phone number associated with it. The attacker would have to have
sent some requests to Facebook to add their own contact ways to the account, so
reset the password would be easy to perform.
To take full control of an account, a hacker
would have to have exploited the vulnerability twice: one to replace or add
your email address or phone number, and a second time to confirm the change.
The expert was also able to create a unique
link that allowed him to get the victim’s access token.
