Monthly Archives: December 2013

Security research

[Facebook] CSRF to accept page admin invitation

Leave a comment

Facebook responded that this vulnerability was reported before by someone else and it is now fixed.

This is a CSRF vulnerability that enables anyone to generate a URL to accept an invitation of being a page admin (or any other admin role). Undoubtedly, this is not really a big deal but still a problem.

For example, I am an admin of a page and send an invitation to a user with known email address. An email will then be sent to the recipient’s mailbox to tell him or her to accept/decline the invitation. However, the sender (me in this case) could generate a URL that makes the recipient accept the invitation without any confirmation or security code required. Normally, fb_dstg parameter is required to prevent such kind of CSRF attacks but this is not applicable in this case. The URL looks like:

https://www.facebook.com/pages/admin/invite?page_id=PAGE_ID&action=accept&sender_id=MY_ID&recipient_id=TARGET_ID&admin_type=0&email=TARGET_EMAIL

As long as the recipient triggers the URL above (like through an image or script tag, or direct click), the recipient accepts the invitation automatically.

1 Dec 2013 – Reported to Facebook
3 Dec 2013 – Notified of duplicated report

Security research

[Facebook] Get sharing URL from any post

Leave a comment

This vulnerability allows anyone to get the sharing URL from any post which can even be the one you cannot access due to its privacy setting. But it only reveals the sharing URL, not the content or author of the post.

The hack is pretty simple. It takes place in the share script on the mobile platform.

https://m.facebook.com/sharer.php?sid=...

The script can take a parameter called “sid” indicating ID of the sharing object. The sid value will be used in POST content when sharing the post. It can be set to ID of any post that shares a URL (not applicable to sharing a post or other Facebook items with this vulnerability) and the post, surprisingly, could still be shared successfully afterward. Eventually, the sharing URL in the post with a known post ID is then revealed.

5 Aug 2013 – Reported to Facebook
12 Aug 2013 – Acknowledgement of report
1 Nov 2013 – Vulnerability fixed