Facebook, unlike other websites have a very shitty token
usage strategy. First I taught I discovered a CSRF, upon further investigation.
I just discovered it’s a shitty design that never got/will be fixed.
So I reported the issue and got this
“…Are you reporting a CSRF attack that requires one of the
victim's FB_DTSG tokens as a pre-requisite?”
Yes, I was reporting a CSRF attack that requires a valid
anti-CSRF token, when I say it out loud, I feel stupid, but it’s true. If an
attacker somehow manages to get a victims token leaked, sniffed, etc, that's a
problem. So when you have a used token, that isn’t totally useless, you can
craft most type of CSRF attacks. But that was something Facebook rejects to
fix, again.
Then I found something interesting, https://m.facebook.com/ajax/dtsg/?__ajax__=true
is a very interesting link. It generates tokens for the logged in user, when
you visit that link, it just generates you a valid token and prints it out with
for how long it is valid for. My first try was click jacking, drag and dropping
game to make the victim copy the token and paste it. Then using that token to
craft an instant CSRF, but shit, X-FRAME-Options was there, I had to think of
something else.
Then I got a very rare, but possible ( I think ) possibility.
When you visit, https://m.facebook.com/ajax/dtsg/?__ajax__=false
even when you’re not authenticated, it just prints out a random users access
token with for how much long it’s valid for. But that next to nothing
considering there are over a billion users in Facebook and you can’t possibly
know for which user. Guessing actually is 0.000081% only probable. So shit. But
now totally shitty because,
Imagine a website as popular like Google, Imagine them being
malicious and want to make everyone share some status update. They get around
billion hits a day. But how does this help... So imagine while you’re on Google
or even watching a long 6 hour long video, your browser in behind is designed
to bruteforce the token using something like (pseudo code)
$token = ‘https://m.facebook.com/ajax/dtsg/?__ajax__=false’;
$tok = file_get_contents($token); //somehow get token;
foreach($tok as $sometoken){
//javascript/ajax
for you to request an action
request(‘http://facebook.com/?someaction&fb_dtsg=’.$sometoken’);
}
That code is PHP but we can make a JavaScript code to
request a token from our php code (where we store random valid tokens), when
the PHP returns random valid token for some unknown user, we can use that token
to make a request in behalf of the user using JavaScript (their logged in
browser) and if the user is stuck in that website for atleast 6 hours (like
watching a video) and the website in background brute forcing their token, it
is somehow probable the token might get correct and create us a CSRF. Enjoy!