An Indian Security Researcher, AMol NAi, has discovered a critical vulnerability in the Social network giant Facebook. He earned $5000 for notifying Facebook about the vulnerability.
He has discovered a cross-site request forgery (CSRF) vulnerability that allows an attacker to execute actions as a logged-in user by accessing specific URLs.
After Facebook introduced its App Center functionality, AMol NAik discovered that the anti-CSRF tokens in HTTP requests are apparently not validated on the server side and that an attacker is therefore able to add applications on the platform as another user.
"There are many new parameters added in this new feature. Parameter 'fb_dtsg' is like token and 'perm' are the permissions required by the apps. Parameters 'redirect_url','app_id' are app specific values. Remaining parameters seems static except 'new_perms' & 'orig_perms'. I started to play with these two dynamic params and after few attempts, I knew that these params no longer needed to add an app." Researcher said in his blog.
"Anti-CSRF tokens like 'fb_dtsg' supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without 'fb_dtsg'. Bang!!"
To execute this attack, the attacker merely needs the victim to visit a specially crafted web site, after which malicious applications can be planted on the App Center.
Anti-CSRF measures like the ones employed by Facebook are supposed to prevent this kind of attack by generating a token with every valid session that has to be sent by the client with every request. Scripts on other web sites have no access to this token and therefore can not generate valid requests. In Facebook's case, the App Center pages did not actually check the token for validity, which allowed anyone to send bogus requests and have them accepted.
The Facebook Security team fixed the vulnerability within one day of being contacted by AMol NAik.