Facebook finds itself in the soup for CSRF bug and leaking user data to third-party app

• While the first flaw can enable hackers to hijack Facebook accounts, the second flaw has been found in the implementation of Facebook’s API in a third-party app.
• A third-party Android application stored Facebook user data in two unsecured places, a Firebase database, and an API server.

Security researchers have discovered two crucial security flaws on Facebook. While the first flaw can enable hackers to hijack Facebook accounts, the second flaw has been found in the implementation of Facebook’s API in a third-party app.

CSRF flaw

A security researcher, who goes by the online name of ‘Samm0uda’ has discovered a critical cross-site request forgery (CSRF) vulnerability in Facebook. The flaw can allow attackers to take over Facebook accounts by simply tricking users into clicking on a specially-crafted link. It exists in the URL facebook.com/comet/dialog_DONOTUSE/.

Apart from account takeover, the flaw could also enable the hackers to perform various other actions like “posting anything on their timeline, change or delete their profile picture, and even trick users into deleting their entire Facebook accounts.”

To exploit the flaw, the researcher said that two separate URLs are used, one to add the email or phone number and another to confirm it.

Citing the reason for using two URLs, the researcher explained, “It’s because the ‘normal’ endpoints used to add emails or phone numbers don’t have a ‘next’ parameter to redirect the user after a successful request. So to bypass this, I needed to find endpoints where the ‘next’ parameter is present so the account takeover could be made with a single URL.”

Third-party app stores Facebook data

Cybersecurity firm Nightwatch Security has discovered that a third-party Android application was storing Facebook user data in two unsecured places, a Firebase database, and an API server. Although the number of users affected by the data leak is unknown, researchers reported that the application had more than 1,000,000 downloads worldwide, at the time of the investigation.

“After downloading the application, and examining it using JADX, we found that the application was using Facebook APIs to access data for the logged in user and copying to several storage locations outside of Facebook. Upon further examination, it was clear that at least two of such locations (a Firebase database and an API server) were making this data available without any authentication and without HTTPS,” Nightwatch researchers added.

Explaining the impact of this security loophole, researchers explained that this could allow attackers to download the user data accumulated by the application and later use it for other nefarious activities.