Facebook just gave a reward of 25000 dollars for the report of a critical vulnerability of a cross site request forgery. According to security network specialists from the International Cybernetic Security Institute, the vulnerability could have been exploited to kidnap accounts in the social networks; the attacker only needed to lie the victim to make him click on a specially designed link.
The white hat hacker known in the community as “Samm0uda” was the one that reported the error in the social network, who gave him the nice ammount of money earlier mentioned.
“The vulnerability could have allowed malicious users to send forms with forged tokens to final arbitrary points in Facebook, which was possible to take control of the victim’s account. Victims only had to click in a link”, added the specialist in network security.
“Exploiting the vulnerability is possible thanks to a vulnerable endpoint that takes on other endpoint of Facebook selected by the attacker along with other parameters and makes a POST request to that endpoint after adding the parameter fb_dtsg. Besides, this endpoint is located under the main domain www.facebook.com, so it is easy for the attackers to forge the victims to make them go to that URL”, added Samm0uda.
The security expert in networks published the URL of his attempt, that could be exploited to publish anything in the victim’s timeline, or even change their profile picture. The vulnerability could have even been exploited to delete a facebook account, although the victims had to provide their passwords to the platform before completing the process of the account deletion.
And not being enough, the vulnerability would also been exploited on restrablishing the password of an account by changing the email or phone number linked to the account. The attacker had to send some applications to Facebook to add hos own ways of contact to the account, so restablish the password would be very easy.
To take full control of an account, a hacker should explot the vulnerability 2 times: one to replace or add his email or telephone, and the second to confirm the change.
The expert could also create a unique link that allowed him to obtain the access token to the victims