Vulnerability would have allowed an attacker to take control of an account by simply clicking a link
Facebook has just granted a $25k USD reward for the report of critical cross-site request forgery vulnerability. According to network security specialists from the International Institute of Cyber Security, the vulnerability could have been exploited to hijack social network accounts; the attacker only needed to trick the victim into clicking on a specially crafted link.
The white hat hacker known in the community as “Samm0uda” was responsible for reporting the flaw to the social network, which granted the considerable amount for his report.
“The vulnerability could have allowed malicious users to send requests with counterfeit tokens to arbitrary endpoints on Facebook, so it was possible to take control of the victim’s account. The victims just had to click on a link”, added the network security specialist.
“Exploiting this vulnerability is possible due to a vulnerable endpoint that takes another Facebook endpoint selected by the attacker along with the parameters and performs a POST request to that endpoint after adding the FB_DTSG parameter. In addition, this endpoint is under the www.facebook.com main domain, making it very easy for attackers to trick victims into that URL”, added Samm0uda.
The network security expert published the URL of his proof of concept, which could be exploited to post anything on the victim’s timeline, or even change his profile photo. The vulnerability might even have been exploited to remove a Facebook account, although victims would have to have provided their password to the platform before completing the account deletion process.
If not enough, the vulnerability would also have been exploited to reset the password of an account by changing the email address or phone number associated with it. The attacker would have to have sent some requests to Facebook to add their own contact ways to the account, so reset the password would be easy to perform.
To take full control of an account, a hacker would have to have exploited the vulnerability twice: one to replace or add your email address or phone number, and a second time to confirm the change.
The expert was also able to create a unique link that allowed him to get the victim’s access token.