Ow Facebook Part 3: Token Misconfigurations

11:28 AM


Facebook, unlike other websites have a very shitty token usage strategy. First I taught I discovered a CSRF, upon further investigation. I just discovered it’s a shitty design that never got/will be fixed.

Using m.facebook.com, while you share a status, there is an anti-CSRF token called fb_dtsg, actually that token appears in almost always action you do. But here is the fucked up thing about that token, even though the token regenerates for each action. The first token would do fine, actually the token works 72hours for any action infinite times. So what is the point of generating a new token every time?

So I reported the issue and got this 


“…Are you reporting a CSRF attack that requires one of the victim's FB_DTSG tokens as a pre-requisite?”

Yes, I was reporting a CSRF attack that requires a valid anti-CSRF token, when I say it out loud, I feel stupid, but it’s true. If an attacker somehow manages to get a victims token leaked, sniffed, etc, that's a problem. So when you have a used token, that isn’t totally useless, you can craft most type of CSRF attacks. But that was something Facebook rejects to fix, again.

Then I found something interesting, https://m.facebook.com/ajax/dtsg/?__ajax__=true is a very interesting link. It generates tokens for the logged in user, when you visit that link, it just generates you a valid token and prints it out with for how long it is valid for. My first try was click jacking, drag and dropping game to make the victim copy the token and paste it. Then using that token to craft an instant CSRF, but shit, X-FRAME-Options was there, I had to think of something else.

Then I got a very rare, but possible ( I think ) possibility. When you visit, https://m.facebook.com/ajax/dtsg/?__ajax__=false even when you’re not authenticated, it just prints out a random users access token with for how much long it’s valid for. But that next to nothing considering there are over a billion users in Facebook and you can’t possibly know for which user. Guessing actually is 0.000081% only probable. So shit. But now totally shitty because,

Imagine a website as popular like Google, Imagine them being malicious and want to make everyone share some status update. They get around billion hits a day. But how does this help... So imagine while you’re on Google or even watching a long 6 hour long video, your browser in behind is designed to bruteforce the token using something like (pseudo code)

$tok = file_get_contents($token); //somehow get token;
foreach($tok as $sometoken){
                //javascript/ajax for you to request an action
request(‘http://facebook.com/?someaction&fb_dtsg=’.$sometoken’);
}

That code is PHP but we can make a JavaScript code to request a token from our php code (where we store random valid tokens), when the PHP returns random valid token for some unknown user, we can use that token to make a request in behalf of the user using JavaScript (their logged in browser) and if the user is stuck in that website for atleast 6 hours (like watching a video) and the website in background brute forcing their token, it is somehow probable the token might get correct and create us a CSRF. Enjoy!

You Might Also Like

0 comments