Published On: 25 Apr 2020
CSRF in Email Confirmation when using Outlook
CSRF
Facebook | Web
---
MEDIUM VALIDThis vulnerability could allow an attacker to verify an email address that he doesn't have access to. This is possible because the verification link sent to a user (who's using Outlook as email client) is triggered by simply reading/opening the email.
Description
To exploit this, the attacker's Facebook account should be logged into the victim's browser. The attacker can do this by simply loading his one-tap login link into the victim's browser. https://pastebin.com/raw/tA9mnhdx
Impact
This allowed an attacker to CSRF someone into confirming their email on an attacker account.
Reproduction Steps
Step
1
Setup
===
- Victim doesn't have an active Facebook session on the browser.
- Victim is using Outlook (web app)
- [email protected] - victim's email address
- 10000 - attacker's Facebook ID
- 123456 - attacker's 6 digit recovery code for 1-tap login. He got this through "Forgot password" feature
Step
2
Attacker prepares a malicious page with the following codes.
Step
3
Attacker added [email protected] as his contact email.
Step
4
Attacker sends the link of the malicious page to the victim.
Step
5
Victim opens the link. He was redirected to https://outlook.live.com/mail/inbox after a few seconds. Little that he knows, the attacker's account was already logged-in into his browser.
Step
6
Since Outlook is already opened, he read the email from Facebook with the subject "New email address added on Facebook". He just ignores the email (since there's no link to disavow the action). He thinks that he's still safe since he didn't click on the link nor he gave the attacker his confirmation code.
Step
7
Victim's email is now confirmed on the attacker's account.