Hacker News new | past | comments | ask | show | jobs | submit login
Facebook CSRF leading to full account takeover (fixed) (pyx.io)
222 points by franjkovic on Oct 20, 2013 | hide | past | favorite | 51 comments



Should the title be updated to reflect that this is 2+ months old? After all, the fix was put in place in a couple of hours. This isn't a current bug, but rather, an excellent post-mortem, but the title suggests present tense.


The write up is from yesterday about a bug fixed a while back, as per responsible disclosure.


Most responsible disclosure is normally posted about sooner though. I think what the OP meant is that waiting 2 months later, and then giving the post this title, makes it seem as though it was a more recent bug


Actually I waited until we pushed Pyxio website on-line. Since I am not native English speaker, what would be best replacement for current title?


"Post-mortem" is usually appended to titles for solved vulnerabilities, although this was 2 months ago. Maybe just timestamp it? e.g. "Facebook CSRF leading to full account takeover (Post-mortem, August 2013)"


That would imply that the Post-Mortem itself was written in August 2013, which would probably get far fewer clicks as people assume they've read about the vulnerability before.


Do you really expect to learn about open bugs by reading HN?


Anyone who writes about security bugs like this where it's a "current bug" is being shitty. Follow responsible disclosure, people.


If you read the OP, you'll find that's what happened.


Oh I agree. I was directing my comment at the comment I replied to, which was bemoaning that this wasn't a current bug. It was like they were complaining that responsible disclosure wasn't followed.


I wasn't at all suggesting disclosing a bug before it's fixed. The write-up was great, the disclosure correct. I was merely saying that the HN title should reflect the current state of affairs.


How much did you get for this bug via their bug bounty program?


12,500$. (More than)Good enough for me, takes a year of work on average salary to get this much money in my country.


Congrats. This is exactly how responsible disclosure is supposed to work. You spend valuable time looking for holes and when you find one they fix it quickly and compensate you for your trouble.


That's awesome. Congrats to making the money, and raising the issue correctly - as well as not going off of the ethical deep end.


Out of curiosity, how much time did you spend on this?


I spend 4-5 hours a week hunting for bugs.

The "session" I found this bug in was around 2 hours long.


Were you able to do this all with the dummy accounts that Facebook provides for the Bug Bounty program or did any steps require a genuine account? Just curious as I always wonder whether there are bugs that affect genuine accounts and not dummy accounts or vice-versa.


That's awesome.

Also sounds like you should maybe try to move to a different country, if you can!


He'd probably be better off staying where he is and courting customers in the US and UK. The combination of a low cost of living and a metropolitan income (or as close as possible) is a splendid combination.


Probably worth $500k to government actor.


Svaka cast druze :)


Given the seriousness, I would hope it is in the five figures (Facebook don't go into details about rewards, but a comparable exploit for a Google Account would net you at least $10k).


Let's hope author will update the post with some clues :P


I'm surprised that it took this long to discover this.I wonder how many this type of exploits are still out there.


> I'm surprised that it took this long to discover this.

Because the system is complex, and security is hard.


I meant by the others who are trying to win the bounty.


I don't like Facebook but I have to give them credit for addressing this so quickly.


That's a pretty amateur mistake for a such an enormous company. Made respect for FB, but c'mon, how'd this slip through? This was a very trivial exploit.


I don't really agree. They made all the effort to put CSRF tokens everywhere, and the vast majority are properly validated, but here there was probably some bug where they assumed the CSRF token validation check was always running, but I guess it wasn't.

It's certainly a mistake, but it was probably easy for developers and QA to miss.


I disagree with that. It's a get request that is changing state server-side. That is a dead giveaway for a CSRF vulnerability.


They didn't validate the token nor did they make sure the user id was valid for the request; that's two important checks that either weren't there or failed. Seems like they just weren't there as there would have been more failures like this throughout the site. Because those checks weren't there I'd say it was an amateur mistake. Again, if this is the case then the engineer just made an assumption that this request can only be made in particular user state.


Nearly every exploit is a "pretty amateur mistake" in hindsight.


Not really, no.


Would you give some examples of some exploits which you feel weren't exploiting amateur mistakes?


http://www.exploit-db.com/exploits/28974/

Here's one. A use-after-free triggered due to some faulty logic.

Mistake? Yes. Amateur mistake? No. Even very experienced C/C++ programmers, such as Microsoft's top devs, may accidentally double-free, or use already-free memory.


Don't static analyzers catch a lot of these bugs these days? (if one can be bothered to configure and use them)


And wade through a forest of false positives.


They do. And I imagine Microsoft employs static analyzers very frequently.

They can't always catch everything, though.


Almost every exploit in the wild seems trivial. The hard part is ensuring you don't ever miss one.


you are right, facebook had lots of CSRF previously, it is obvious they don't take basic security seriously


it is obvious they don't take basic security seriously

I would disagree.

For a very actively developed web site, it takes very good focus to not trip up. Having a bounty program is an indication to me that they take security seriously. Fixing a security bug in a matter of hours indicates to me that they take security seriously.


Amount and stupidness of bugs in fb says otherwise


You can read about all kinds of bugs and "bugs" I found in bounty programs on my old blog, too http://josipfranjkovic.blogspot.com/


Interestingly several of my wife's hotmail using Facebook friends accounts appeared to have been owned last night. Has someone found a new similar exploit?


The exploit may not have been patched in the mobile version of facebook or may still work using a hotmail alias (passport.net or w/e). These are just guesses. I dug into Facebook security a while back and they seemed to have very little protection in place on the mobile site.


I believe so. A friend with a hotmail account (although I don't know if he uses this hotmail account to login to FB) got his FB account hacked couple of days ago.


Something I don't get, why is a hotmail account a pre-requisite? Wouldn't this work with any other email account?


Redirect URL when you give access to Facebook is different for other email providers. Hotmail (that is, Outlook) is the only one that worked as far as I know - I have tested Gmail and yahoo, but neither of them were exploitable (there is also chance I missed something, so it is worth checking again).


Are there researchers out there testing whether facebook regresses security fixes?

Or would the effort not procure enough reward?


Did anyone else notice that the site and social networking properties were all put up at the same time as the post (roughly)? Good tactic for starting a business.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: