A security researcher, who goes by the username “Samm0uda,” discovered that a flawed endpoint (facebook.com/comet/dialog_DONOTUSE/) can be exploited to bypass CSRF protections and takeover anyone’s accounts.
Anyone victim to this attack needs to be tricked into clicking a special crafted URL, as mentioned on Samm0uda’s blog. An attacker can perform multiple actions like posting anything on victim’s timeline, change or delete their profile picture, and even trick them into deleting their entire Facebook accounts.”
“This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and makes a POST request to that endpoint after adding the fb_dtsg parameter,” the researcher explained.
“Also this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL.”
How is it done?
Taking over or tricking someone into deleting their Facebook account requires some efforts, as victim will be required to enter their password before the account is officially deleted.
The victim would be required to visit two separate URLs, first one to add the email and second one to confirm it. The ‘normal‘ endpoint used to add emails doesn’t have a ‘next‘ parameter to redirect the user after a successful request.
However, someone can still takeover the account with a URL by finding the endpoints where the ‘next’ parameter is and by authorising an app to obtain Facebook access token.
With access to tokens, an attacker can automatically add their own email address, allowing them to fully take over the account by simply resetting password and locking the real user out of their Facebook accounts.
This process involves multiple steps, the complete one-click exploit would allow anyone to hijack your Facebook account “in the blink of an eye.”
Such attacks can be stopped if you have two-factor authentication enabled, preventing hackers from logging in until or unless they verify the 6-digit passcode.
The researcher reported the vulnerability to Facebook on January 26th. Facebook acknowledged the issue and addressed it on January 31st, rewarding him with $25,000.