Facebook CSRF leading to full account takeover (fixed) (opens in new tab)

(pyx.io)

222 pointsfranjkovic12y ago51 comments

51 comments

39 comments · 10 top-level

ryhanson12y ago· 10 in thread

How much did you get for this bug via their bug bounty program?

franjkovicOP12y ago

12,500$. (More than)Good enough for me, takes a year of work on average salary to get this much money in my country.

tomschlick12y ago

Congrats. This is exactly how responsible disclosure is supposed to work. You spend valuable time looking for holes and when you find one they fix it quickly and compensate you for your trouble.

bennyg12y ago

That's awesome. Congrats to making the money, and raising the issue correctly - as well as not going off of the ethical deep end.

adamnemecek12y ago

Out of curiosity, how much time did you spend on this?

1 more reply

TomAnthony12y ago

Were you able to do this all with the dummy accounts that Facebook provides for the Bug Bounty program or did any steps require a genuine account? Just curious as I always wonder whether there are bugs that affect genuine accounts and not dummy accounts or vice-versa.

meowface12y ago

That's awesome.

Also sounds like you should maybe try to move to a different country, if you can!

1 more reply

foobarqux12y ago

Probably worth $500k to government actor.

turshija12y ago

Svaka cast druze :)

objclxt12y ago

Given the seriousness, I would hope it is in the five figures (Facebook don't go into details about rewards, but a comparable exploit for a Google Account would net you at least $10k).

pdappollonio12y ago

Let's hope author will update the post with some clues :P

debt12y ago· 8 in thread

That's a pretty amateur mistake for a such an enormous company. Made respect for FB, but c'mon, how'd this slip through? This was a very trivial exploit.

meowface12y ago

I don't really agree. They made all the effort to put CSRF tokens everywhere, and the vast majority are properly validated, but here there was probably some bug where they assumed the CSRF token validation check was always running, but I guess it wasn't.

It's certainly a mistake, but it was probably easy for developers and QA to miss.

memoryfault12y ago

I disagree with that. It's a get request that is changing state server-side. That is a dead giveaway for a CSRF vulnerability.

debt12y ago

They didn't validate the token nor did they make sure the user id was valid for the request; that's two important checks that either weren't there or failed. Seems like they just weren't there as there would have been more failures like this throughout the site. Because those checks weren't there I'd say it was an amateur mistake. Again, if this is the case then the engineer just made an assumption that this request can only be made in particular user state.

RKearney12y ago

Nearly every exploit is a "pretty amateur mistake" in hindsight.

adamnemecek12y ago

Not really, no.

1 more reply

mehwoot12y ago

Almost every exploit in the wild seems trivial. The hard part is ensuring you don't ever miss one.

homakov12y ago

you are right, facebook had lots of CSRF previously, it is obvious they don't take basic security seriously

wglb12y ago

it is obvious they don't take basic security seriously

I would disagree.

For a very actively developed web site, it takes very good focus to not trip up. Having a bounty program is an indication to me that they take security seriously. Fixing a security bug in a matter of hours indicates to me that they take security seriously.

1 more reply

bdcravens12y ago· 6 in thread

Should the title be updated to reflect that this is 2+ months old? After all, the fix was put in place in a couple of hours. This isn't a current bug, but rather, an excellent post-mortem, but the title suggests present tense.

adamnemecek12y ago

The write up is from yesterday about a bug fixed a while back, as per responsible disclosure.

ParkerK12y ago

Most responsible disclosure is normally posted about sooner though. I think what the OP meant is that waiting 2 months later, and then giving the post this title, makes it seem as though it was a more recent bug

1 more reply

Zoomla12y ago

Do you really expect to learn about open bugs by reading HN?

rmc12y ago

Anyone who writes about security bugs like this where it's a "current bug" is being shitty. Follow responsible disclosure, people.

jrochkind112y ago

If you read the OP, you'll find that's what happened.

1 more reply

bdcravens12y ago

I wasn't at all suggesting disclosing a bug before it's fixed. The write-up was great, the disclosure correct. I was merely saying that the HN title should reflect the current state of affairs.

himal12y ago· 2 in thread

I'm surprised that it took this long to discover this.I wonder how many this type of exploits are still out there.

yeukhon12y ago

> I'm surprised that it took this long to discover this.

Because the system is complex, and security is hard.

himal12y ago

I meant by the others who are trying to win the bounty.

geden12y ago· 2 in thread

Interestingly several of my wife's hotmail using Facebook friends accounts appeared to have been owned last night. Has someone found a new similar exploit?

chrismarlow912y ago

The exploit may not have been patched in the mobile version of facebook or may still work using a hotmail alias (passport.net or w/e). These are just guesses. I dug into Facebook security a while back and they seemed to have very little protection in place on the mobile site.

antr12y ago

I believe so. A friend with a hotmail account (although I don't know if he uses this hotmail account to login to FB) got his FB account hacked couple of days ago.

bonobo12y ago· 1 in thread

Something I don't get, why is a hotmail account a pre-requisite? Wouldn't this work with any other email account?

franjkovicOP12y ago

Redirect URL when you give access to Facebook is different for other email providers. Hotmail (that is, Outlook) is the only one that worked as far as I know - I have tested Gmail and yahoo, but neither of them were exploitable (there is also chance I missed something, so it is worth checking again).

RexRollman12y ago

I don't like Facebook but I have to give them credit for addressing this so quickly.

franjkovicOP12y ago

You can read about all kinds of bugs and "bugs" I found in bounty programs on my old blog, too http://josipfranjkovic.blogspot.com/

b0b0b0b12y ago

Are there researchers out there testing whether facebook regresses security fixes?

Or would the effort not procure enough reward?

ryansan12y ago

Did anyone else notice that the site and social networking properties were all put up at the same time as the post (roughly)? Good tactic for starting a business.

j / k navigate · click thread line to collapse

51 comments

39 comments · 10 top-level

ryhanson12y ago· 10 in thread

How much did you get for this bug via their bug bounty program?

franjkovicOP12y ago

12,500$. (More than)Good enough for me, takes a year of work on average salary to get this much money in my country.

tomschlick12y ago

Congrats. This is exactly how responsible disclosure is supposed to work. You spend valuable time looking for holes and when you find one they fix it quickly and compensate you for your trouble.

bennyg12y ago

That's awesome. Congrats to making the money, and raising the issue correctly - as well as not going off of the ethical deep end.

adamnemecek12y ago

Out of curiosity, how much time did you spend on this?

1 more reply

TomAnthony12y ago

meowface12y ago

That's awesome.

Also sounds like you should maybe try to move to a different country, if you can!

1 more reply

foobarqux12y ago

Probably worth $500k to government actor.

turshija12y ago

Svaka cast druze :)

objclxt12y ago

Given the seriousness, I would hope it is in the five figures (Facebook don't go into details about rewards, but a comparable exploit for a Google Account would net you at least $10k).

pdappollonio12y ago

Let's hope author will update the post with some clues :P

debt12y ago· 8 in thread

That's a pretty amateur mistake for a such an enormous company. Made respect for FB, but c'mon, how'd this slip through? This was a very trivial exploit.

meowface12y ago

It's certainly a mistake, but it was probably easy for developers and QA to miss.

memoryfault12y ago

I disagree with that. It's a get request that is changing state server-side. That is a dead giveaway for a CSRF vulnerability.

debt12y ago

RKearney12y ago

Nearly every exploit is a "pretty amateur mistake" in hindsight.

adamnemecek12y ago

Not really, no.

1 more reply

mehwoot12y ago

Almost every exploit in the wild seems trivial. The hard part is ensuring you don't ever miss one.

homakov12y ago

you are right, facebook had lots of CSRF previously, it is obvious they don't take basic security seriously

wglb12y ago

it is obvious they don't take basic security seriously

I would disagree.

1 more reply

bdcravens12y ago· 6 in thread

adamnemecek12y ago

The write up is from yesterday about a bug fixed a while back, as per responsible disclosure.

ParkerK12y ago

1 more reply

Zoomla12y ago

Do you really expect to learn about open bugs by reading HN?

rmc12y ago

Anyone who writes about security bugs like this where it's a "current bug" is being shitty. Follow responsible disclosure, people.

jrochkind112y ago

If you read the OP, you'll find that's what happened.

1 more reply

bdcravens12y ago

I wasn't at all suggesting disclosing a bug before it's fixed. The write-up was great, the disclosure correct. I was merely saying that the HN title should reflect the current state of affairs.

himal12y ago· 2 in thread

I'm surprised that it took this long to discover this.I wonder how many this type of exploits are still out there.

yeukhon12y ago

> I'm surprised that it took this long to discover this.

Because the system is complex, and security is hard.

himal12y ago

I meant by the others who are trying to win the bounty.

geden12y ago· 2 in thread

Interestingly several of my wife's hotmail using Facebook friends accounts appeared to have been owned last night. Has someone found a new similar exploit?

chrismarlow912y ago

antr12y ago

I believe so. A friend with a hotmail account (although I don't know if he uses this hotmail account to login to FB) got his FB account hacked couple of days ago.

bonobo12y ago· 1 in thread

Something I don't get, why is a hotmail account a pre-requisite? Wouldn't this work with any other email account?

franjkovicOP12y ago

RexRollman12y ago

I don't like Facebook but I have to give them credit for addressing this so quickly.

franjkovicOP12y ago

You can read about all kinds of bugs and "bugs" I found in bounty programs on my old blog, too http://josipfranjkovic.blogspot.com/

b0b0b0b12y ago

Are there researchers out there testing whether facebook regresses security fixes?

Or would the effort not procure enough reward?

ryansan12y ago

Did anyone else notice that the site and social networking properties were all put up at the same time as the post (roughly)? Good tactic for starting a business.

j / k navigate · click thread line to collapse