[Facebook] CSRF to accept page admin invitation

Facebook responded that this vulnerability was reported before by someone else and it is now fixed.

This is a CSRF vulnerability that enables anyone to generate a URL to accept an invitation of being a page admin (or any other admin role). Undoubtedly, this is not really a big deal but still a problem.

For example, I am an admin of a page and send an invitation to a user with known email address. An email will then be sent to the recipient’s mailbox to tell him or her to accept/decline the invitation. However, the sender (me in this case) could generate a URL that makes the recipient accept the invitation without any confirmation or security code required. Normally, fb_dstg parameter is required to prevent such kind of CSRF attacks but this is not applicable in this case. The URL looks like:

https://www.facebook.com/pages/admin/invite?page_id=PAGE_ID&action=accept&sender_id=MY_ID&recipient_id=TARGET_ID&admin_type=0&email=TARGET_EMAIL

As long as the recipient triggers the URL above (like through an image or script tag, or direct click), the recipient accepts the invitation automatically.

1 Dec 2013 – Reported to Facebook
3 Dec 2013 – Notified of duplicated report

Published by

alanyip

My name is Alan Yip, a programmer and security researcher from Hong Kong. I create tweaks for iOS and do security research.

Leave a Reply