Rejected CSRF at facebook.com

Recently, we discovered a very uncritical CSRF issue at facebook. Facebooks security team rejected this submission as there is no direct impact on any user data. People asked to share the finding, so here we go :)

As the issue really wasn’t that critical we don’t want to blame facebook for rejecting this issue. Don’t expect anything exceptional.

Facebook has a dedicated “FAQ/Help” section which can be found here: Facebook Help.

If you type some keywords into the search box e.g. “delete my account”, a dropdown with suggestions will show up.

Screenshot of a dropdown with suggestions

Clicking on one of the suggested items results in the following request to the facebook servers:

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /help/typeahead.php?helpPlatformPath=%2Fhelp%2F HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.facebook.com/help/
Cookie: [COOKIES]
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 216

faq_id=224562897555674&user_query=delete+my+account&normalized_query=delete+my+account+site%3awww.facebook.com%2fhelp%2f+meta%3asearch.helptype%28%22faq%22%29+meta%3asearch.searchable%28%22true%22%29&fb_dtsg=AQCQwq0n

The server responds with a redirect to the faq page with the “faq_id”:

1
2
3
4
5
6
7
8
9
10
HTTP/1.1 302 forced.302
Location: https://www.facebook.com/help/224562897555674
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Set-Cookie: _e_0Kyy_2=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Type: text/html; charset=utf-8
X-FB-Debug: IHqg1vyS/5YzFfEDeZpDtVseUBvVhyrORUnqYjWmfLk=
Date: Mon, 10 Feb 2014 21:53:33 GMT
Connection: keep-alive
Content-Length: 0

The fb_dtsg is also known as one of facebooks csrf tokens. This parameter was not validated on the server.

You could even reduce the request body to only one parameter:

1
faq_id=224562897555674

As we don’t know whether the “user_query” is tracked and/or linked to a users account, we can only make assumptions. Assumptions are not the way to go ;)

So what have we found here? A CSRF with absolutely no impact on any user-data. However, we submitted this issue and received the following answer from Arya:

1
The token is part of the default CSRF framework that we have for POST requests. It is not present for any particular reason. So it's not a big deal if it's not validated.

Funny side note: Why does a CSRF framework not validate CSRF tokens correctly? ;)

Timeline:

  • 06th of feb. 2014: Reported issue to facebook

  • 06th of feb. 2014: Answer from facebook rejecting this submission due to low severity

  • 10th of feb. 2014: Public disclosure

The team of internetwache.org