Facebook SMS Captcha Was Vulnerable to CSRF Attack

Lokesh Kumar
2 min readOct 17, 2022

--

This post is about an bug that I found on Meta (aka Facebook) which allows to make any Endpoint as POST request in SMS Captcha flow which leads to CSRF attack.

After reporting Contact Point Deanonymization Bug I started to find any way to bypass it in Account recover flow. but when sending multiple OTP code request I got hit with SMS captcha flow.

Vulnerable Endpoint:

https://m.facebook.com/sms/captcha/?next=/path

when digging deeper in captcha page I found that next= parameter is vulnerable to CSRF attack. because the Endpoint doesn't have any CSRF protection and the give action URL is sending as post request with fb_dtsg CSRF token

So attacker can append any sensitive graphql endpoint.

Example:

  1. Create | Update |Deleting ( Feeds, Stories)
  2. Adding or Removing (Email address , Mobile number)
  3. modifying any sensitive changes in /setting , etc…

If victim click the Continue button the POST request will be send with CSRF Token. So the action URL will get executed successfully.

Fix:

Meta fixed this Vulnerability by adding next_mac=**** CSRF Protection and allows only OTP Code sending Endpoint in SMS Captcha form Action URL

Video POC:

https://youtu.be/JcCPjL4aycI

Timeline:

16-jan-2022: Report Sent

17-Jan-2022: Further investigation by Meta

16-Feb-2022: Fixed confirmed by Meta and me

11-Mar-2022: $18750 bounty awarded by Facebook (With Hacker plus & Timing Bonus)

Thank you Meta Team for quick Triaging and fixing this Vulnerability

--

--