Facebook CSRF Closed Vulnerability

The vulnerability was discovered by Josip Franjković and eliminated about two months ago, and yesterday the author spoke about it on the pyx.io blog . The bug has similarities with Dan Melamed’s find .

An exploit required a Facebook account, mail on Outlook.com, and a victim. At the same time, the email in Outlook should not have been linked to your Facebook account.

On Facebook there is a function in the " Search for contacts on Facebook " (the Find contacts on Facebook), which invites contacts from your contacts list, and adds email to your account.

When you allow Facebook access to the Outlook contact book, a GET request is sent to
m.facebook.com/contact-importer/login/?api_instance=1&api_ver=wave5&auth_token=TOKEN
which adds an email to your account.

Valid token received by the author:

{"code":"2c59ed24-8674-a76a-3232-6fse0d6d5cc7",
"redirect_uri":"https://www.facebook.com/accept_token.php?api_ver=wave5&csrf=AQDt6cT&
appdata={"use_case":1,"type":1,"flow":30,"domain_id":4,"tracked_params":"[]","enc_uid":"AdjjCVjSQ3I1RFRllRz81ohsy737W7oipkrAYKmCYISHLHcmzi55G4GaGckcSCP97t0",
"post_login_redirect":"https:\/\/m.facebook.com\/contact-importer\/login\/?api_instance=1&api_ver=wave5"}"}

There were no checks in this request, and therefore it could be repeated as much as desired. The trouble is that the same method worked for other users.

The algorithm of actions of a potential attacker was as follows: use the “Search for contacts on Facebook” from your account, while logging all requests; find the request to /contact-importer/login, untie the added email from your account and in any way make the victim make a request to /contact-importer/login. Now the email will be added to the victim’s account, and you can use the “Forgot your password” function to gain access to it.

Exploit Demo Video: