
Facebook CSRF leading to full account takeover (fixed) - franjkovic
http://pyx.io/blog/facebook-csrf-leading-to-full-account-takeover
======
bdcravens
Should the title be updated to reflect that this is 2+ months old? After all,
the fix was put in place in a couple of hours. This isn't a current bug, but
rather, an excellent post-mortem, but the title suggests present tense.

~~~
rmc
Anyone who writes about security bugs like this where it's a "current bug" is
being shitty. Follow responsible disclosure, people.

~~~
jrochkind1
If you read the OP, you'll find that's what happened.

~~~
rmc
Oh I agree. I was directing my comment at the comment I replied to, which was
bemoaning that this wasn't a current bug. It was like they were complaining
that responsible disclosure wasn't followed.

------
ryhanson
How much did you get for this bug via their bug bounty program?

~~~
franjkovic
12,500$. (More than)Good enough for me, takes a year of work on average salary
to get this much money in my country.

~~~
adamnemecek
Out of curiosity, how much time did you spend on this?

~~~
franjkovic
I spend 4-5 hours a week hunting for bugs.

The "session" I found this bug in was around 2 hours long.

------
himal
I'm surprised that it took this long to discover this.I wonder how many this
type of exploits are still out there.

~~~
yeukhon
> I'm surprised that it took this long to discover this.

Because the system is complex, and security is hard.

~~~
himal
I meant by the others who are trying to win the bounty.

------
RexRollman
I don't like Facebook but I have to give them credit for addressing this so
quickly.

------
debt
That's a pretty amateur mistake for a such an enormous company. Made respect
for FB, but c'mon, how'd this slip through? This was a very trivial exploit.

~~~
meowface
I don't really agree. They made all the effort to put CSRF tokens everywhere,
and the vast majority are properly validated, but here there was probably some
bug where they assumed the CSRF token validation check was always running, but
I guess it wasn't.

It's certainly a mistake, but it was probably easy for developers and QA to
miss.

~~~
memoryfault
I disagree with that. It's a get request that is changing state server-side.
That is a dead giveaway for a CSRF vulnerability.

------
franjkovic
You can read about all kinds of bugs and "bugs" I found in bounty programs on
my old blog, too
[http://josipfranjkovic.blogspot.com/](http://josipfranjkovic.blogspot.com/)

------
geden
Interestingly several of my wife's hotmail using Facebook friends accounts
appeared to have been owned last night. Has someone found a new similar
exploit?

~~~
chrismarlow9
The exploit may not have been patched in the mobile version of facebook or may
still work using a hotmail alias (passport.net or w/e). These are just
guesses. I dug into Facebook security a while back and they seemed to have
very little protection in place on the mobile site.

------
bonobo
Something I don't get, why is a hotmail account a pre-requisite? Wouldn't this
work with any other email account?

~~~
franjkovic
Redirect URL when you give access to Facebook is different for other email
providers. Hotmail (that is, Outlook) is the only one that worked as far as I
know - I have tested Gmail and yahoo, but neither of them were exploitable
(there is also chance I missed something, so it is worth checking again).

------
b0b0b0b
Are there researchers out there testing whether facebook regresses security
fixes?

Or would the effort not procure enough reward?

------
ryansan
Did anyone else notice that the site and social networking properties were all
put up at the same time as the post (roughly)? Good tactic for starting a
business.

