CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook

This post is about an bug that i found on Facebook which used to verify any new Gmail and G-Suite account with minimal Victim’s interaction.

Image for post
Image for post

When a user create a new Facebook account with Gmail they can confirm the account with two methods.

  1. Confirming by entering 5 digit confirmation code
  2. confirming by OAuth login.
Image for post
Image for post

Method 1 is hard to bypass. because there is a rate limit for confirmation code. even though we try to brute force Facebook will block your account with Checkpoint block due to suspicious activity.

So i tried with method 2 . while testing i found a bug in OAuth login Flow.that the CSRF token validation was missing.

The state parameter is a CSRF token. which will validate the request and response.

Example:

If a state parameter is generated in Firefox browser . then it should work only on same browser where it generated.

but in this endpoint proper validation was missing. and the same CSRF token can be used in any browser . so the Attacker can easily embedded the URL in web page and once victim click the link the victim email will be confirmed in attackers account.

but there is one problem . before clicking the link the attackers account should be logged into victims browser. in Facebook there are some one-tap login URLs.

i used this link. once the malicious page loaded . the link will get loaded in IFrame. and attacker account will get logged into victim browser.

Once the OAuth popup loaded the victim email will get confirmed. and once the popup closed the attacker account will get logged out using the below logout emdpoint.

So by combining all this process with one web page. the attacker account will logged into victim browser and after confirmation the account will get logged out.

Video POC:

Timeline:

10-May-2019 : Report Sent

17-May-2019 : Further investigation by Facebook

31-May-2019: Fixed by Facebook

19-June-2019 : $3,000 bounty awarded by Facebook

Image for post
Image for post

I would like to thanks Facebook Security Team for this Bounty

Image for post
Image for post

Web Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store