Recently, we discovered a very uncritical CSRF issue at facebook. Facebooks security team rejected this submission as there is no direct impact on any user data. People asked to share the finding, so here we go :)
As the issue really wasn’t that critical we don’t want to blame facebook for rejecting this issue. Don’t expect anything exceptional.
Facebook has a dedicated “FAQ/Help” section which can be found here: Facebook Help.
If you type some keywords into the search box e.g. “delete my account”, a dropdown with suggestions will show up.
Clicking on one of the suggested items results in the following request to the facebook servers:
1 2 3 4 5 6 7 8 9 10 11 12 13
The server responds with a redirect to the faq page with the “faq_id”:
1 2 3 4 5 6 7 8 9 10
The fb_dtsg is also known as one of facebooks csrf tokens. This parameter was not validated on the server.
You could even reduce the request body to only one parameter:
As we don’t know whether the “user_query” is tracked and/or linked to a users account, we can only make assumptions. Assumptions are not the way to go ;)
So what have we found here? A CSRF with absolutely no impact on any user-data. However, we submitted this issue and received the following answer from Arya:
Funny side note: Why does a CSRF framework not validate CSRF tokens correctly? ;)
06th of feb. 2014: Reported issue to facebook
06th of feb. 2014: Answer from facebook rejecting this submission due to low severity
10th of feb. 2014: Public disclosure
The team of internetwache.org