Researcher reports a CSRF vulnerability in Facebook's App Center, earns $5,000

A security researcher going by the name AMol NAik, has earned $5,000 bug bounty from Facebook Inc. thanks to a CSRF vulnerability he reported to the Security Team of the world's most popular social networking site.

A security researcher going by the name AMol NAik, has earned $5,000 bug bounty from Facebook Inc. thanks to a CSRF vulnerability he reported to the Security Team of the world's most popular social networking site.

In order for a malicious attacker to add applications to a Facebook user's Applications list, he would have to trick him into visiting a specially crafted Web site.

More details on the PoC (proof of concept) code:

There are many new parameters added in this new feature. Parameter 'fb_dtsg' is like token and 'perm' are the permissions required by the apps. Parameters 'redirect_url','app_id' are app specific values. Remaining parameters seems static except 'new_perms' & 'orig_perms'. I started to play with these two dynamic params and after few attempts, I knew that these params no longer needed to add an app.Anti-CSRF tokens like 'fb_dtsg' supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without 'fb_dtsg'. Bang!!

It took Facebook Inc. a day to fix the reported vulnerability.

Find out more about Dancho Danchev at his LinkedIn profile.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All