Thursday 8 August 2013

Facebook Fanpage Invite Exploit & CSRF

I'm finally able to write about another vulnerability now that its been patched. This is probably considered to be a medium-severity bug

I discovered a feature on Facebook that allows you to invite your friends to like a Facebook Fanpage. I've discovered 2 vulnerabilities in this feature:

1. I found a way to invite any Facebook user to like a Fanpage even if they are not my friend
2. A Cross Site Request Forgery flaw

The scenario is that a spammer could setup a bot to collect every single Facebook ID and spam them all with unwanted invites to like their fanpage. The CSRF allowed invites to be sent on behalf of another user who visits a malicious website.

To reproduce this flaw, you first visit a link with the ID of the page you want to invite friends to:
https://x.facebook.com/send_page_invite/?pageid=583584051694359

You will see a list of your friends to invite. When clicking to invite someone, you change the invitee_id parameter in the HTTP request to another Facebook user id that belongs to someone who is not in your friends list.

The CSRF flaw was that the request was using the GET method without any anti-csrf tokens:
http://x.facebook.com/a/send_page_invite/?invitee_id=4&page_id=583584051694359

Visiting the link above would invite Mark Zuckerberg (profile id: 4) to like your fanpage.

After the patch, the link now requires a POST method which includes the fb_dtsg token. And you can no longer send invites to people who are not on your friends list. Depending on the target user's notification settings, the invite would either appear in their notifications or under the "Like Pages" tab and it usually sends out an email informing the user that they were invited to like the fanpage.

Video Proof of Concept:

(Best viewed in HD)

Update (August 20th): I'm receiving $5,000 for both of these bugs

No comments:

Post a Comment

About Me

I'm a security researcher. You can follow me on twitter @danmelamed

Contact

Media Inquiries:
press.danm@gmail.com

Questions or Comments
general.danm@gmail.com