A security researcher going by the name AMol NAik, has earned $5,000 bug bounty from Facebook Inc. thanks to a CSRF vulnerability he reported to the Security Team of the world's most popular social networking site.
In order for a malicious attacker to add applications to a Facebook user's Applications list, he would have to trick him into visiting a specially crafted Web site.
More details on the PoC (proof of concept) code:
There are many new parameters added in this new feature. Parameter 'fb_dtsg' is like token and 'perm' are the permissions required by the apps. Parameters 'redirect_url','app_id' are app specific values. Remaining parameters seems static except 'new_perms' & 'orig_perms'. I started to play with these two dynamic params and after few attempts, I knew that these params no longer needed to add an app.Anti-CSRF tokens like 'fb_dtsg' supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without 'fb_dtsg'. Bang!!
It took Facebook Inc. a day to fix the reported vulnerability.
Find out more about Dancho Danchev at his LinkedIn profile.