Facebook SMS Captcha Was Vulnerable to CSRF Attack
This post is about an bug that I found on Meta (aka Facebook) which allows to make any Endpoint as POST request in SMS Captcha flow which leads to CSRF attack.
After reporting Contact Point Deanonymization Bug I started to find any way to bypass it in Account recover flow. but when sending multiple OTP code request I got hit with SMS captcha flow.
Vulnerable Endpoint:
https://m.facebook.com/sms/captcha/?next=/pathwhen digging deeper in captcha page I found that next= parameter is vulnerable to CSRF attack. because the Endpoint doesn't have any CSRF protection and the give action URL is sending as post request with fb_dtsg CSRF token
So attacker can append any sensitive graphql endpoint.
Example:
- Create | Update |Deleting ( Feeds, Stories)
- Adding or Removing (Email address , Mobile number)
- modifying any sensitive changes in /setting , etc…
If victim click the Continue button the POST request will be send with CSRF Token. So the action URL will get executed successfully.
Fix:
Meta fixed this Vulnerability by adding next_mac=**** CSRF Protection and allows only OTP Code sending Endpoint in SMS Captcha form Action URL
Video POC:
Timeline:
16-jan-2022: Report Sent
17-Jan-2022: Further investigation by Meta
16-Feb-2022: Fixed confirmed by Meta and me
11-Mar-2022: $18750 bounty awarded by Facebook (With Hacker plus & Timing Bonus)
Thank you Meta Team for quick Triaging and fixing this Vulnerability
