WingNews logo WingNews GitHub [2]
top | item 6578552

Facebook CSRF leading to full account takeover (fixed)

222 points| franjkovic | 12 years ago |pyx.io | reply

51 comments

order
[+] bdcravens|12 years ago|reply
Should the title be updated to reflect that this is 2+ months old? After all, the fix was put in place in a couple of hours. This isn't a current bug, but rather, an excellent post-mortem, but the title suggests present tense.
[+] adamnemecek|12 years ago|reply
The write up is from yesterday about a bug fixed a while back, as per responsible disclosure.
[+] Zoomla|12 years ago|reply
Do you really expect to learn about open bugs by reading HN?
[+] rmc|12 years ago|reply
Anyone who writes about security bugs like this where it's a "current bug" is being shitty. Follow responsible disclosure, people.
[+] ryhanson|12 years ago|reply
How much did you get for this bug via their bug bounty program?
[+] franjkovic|12 years ago|reply
12,500$. (More than)Good enough for me, takes a year of work on average salary to get this much money in my country.
[+] objclxt|12 years ago|reply
Given the seriousness, I would hope it is in the five figures (Facebook don't go into details about rewards, but a comparable exploit for a Google Account would net you at least $10k).
[+] pdappollonio|12 years ago|reply
Let's hope author will update the post with some clues :P
[+] himal|12 years ago|reply
I'm surprised that it took this long to discover this.I wonder how many this type of exploits are still out there.
[+] yeukhon|12 years ago|reply
> I'm surprised that it took this long to discover this.

Because the system is complex, and security is hard.

[+] RexRollman|12 years ago|reply
I don't like Facebook but I have to give them credit for addressing this so quickly.
[+] debt|12 years ago|reply
That's a pretty amateur mistake for a such an enormous company. Made respect for FB, but c'mon, how'd this slip through? This was a very trivial exploit.
[+] meowface|12 years ago|reply
I don't really agree. They made all the effort to put CSRF tokens everywhere, and the vast majority are properly validated, but here there was probably some bug where they assumed the CSRF token validation check was always running, but I guess it wasn't.

It's certainly a mistake, but it was probably easy for developers and QA to miss.

[+] RKearney|12 years ago|reply
Nearly every exploit is a "pretty amateur mistake" in hindsight.
[+] mehwoot|12 years ago|reply
Almost every exploit in the wild seems trivial. The hard part is ensuring you don't ever miss one.
[+] homakov|12 years ago|reply
you are right, facebook had lots of CSRF previously, it is obvious they don't take basic security seriously
[+] geden|12 years ago|reply
Interestingly several of my wife's hotmail using Facebook friends accounts appeared to have been owned last night. Has someone found a new similar exploit?
[+] chrismarlow9|12 years ago|reply
The exploit may not have been patched in the mobile version of facebook or may still work using a hotmail alias (passport.net or w/e). These are just guesses. I dug into Facebook security a while back and they seemed to have very little protection in place on the mobile site.
[+] antr|12 years ago|reply
I believe so. A friend with a hotmail account (although I don't know if he uses this hotmail account to login to FB) got his FB account hacked couple of days ago.
[+] bonobo|12 years ago|reply
Something I don't get, why is a hotmail account a pre-requisite? Wouldn't this work with any other email account?
[+] franjkovic|12 years ago|reply
Redirect URL when you give access to Facebook is different for other email providers. Hotmail (that is, Outlook) is the only one that worked as far as I know - I have tested Gmail and yahoo, but neither of them were exploitable (there is also chance I missed something, so it is worth checking again).
[+] b0b0b0b|12 years ago|reply
Are there researchers out there testing whether facebook regresses security fixes?

Or would the effort not procure enough reward?

[+] ryansan|12 years ago|reply
Did anyone else notice that the site and social networking properties were all put up at the same time as the post (roughly)? Good tactic for starting a business.