A security researcher discovered a critical cross-site request forgery (CSRF) vulnerability in the most popular social media platform that could have been allowed attackers to hijack Facebook accounts by simply tricking the targeted users into clicking on a link.
The researcher, who goes by the online alias "Samm0uda," discovered the vulnerability after he spotted a flawed endpoint (facebook.com/comet/dialog_DONOTUSE/) that could have been exploited to bypass CSRF protections and takeover victim's account.
"This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and makes a POST request to that endpoint after adding the fb_dtsg parameter," the researcher says on his blog.
"Also this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL."
All the attacker needs to do is trick the victims into clicking a specially crafted Facebook URL, as mentioned on his blog, designed to perform various actions like posting anything on their timeline, change or delete their profile picture, and even trick users into deleting their entire Facebook accounts.
1-Click Exploit to Completely Take Over Facebook Accounts
Taking over full control of the victims' accounts or tricking them into deleting their entire Facebook account requires some extra efforts from the attacker's side, as victims need to enter their password before the account is deleted.
To do this, the researcher said it would require the victims to visit two separate URLs, one to add the email or phone number and one to confirm it.
It's "because the 'normal' endpoints used to add emails or phone numbers don't have a 'next' parameter to redirect the user after a successful request," the researcher says.
However, the researcher still made the full account takeover possible with a single URL by finding the endpoints where the 'next' parameter is present and authorizing a malicious app on behalf of the victims and obtaining their Facebook access token.
With access to the victims' authentication tokens, the exploit automatically adds an attacker-controlled email address to their account, allowing the attacker to fully take over accounts by simply resetting their passwords and locking the legitimate users out of their Facebook accounts.
Though the full Facebook account takeover hack involved multiple steps, the researcher said the complete one-click exploit would have allowed any malicious user to hijack your Facebook account "in the blink of an eye."
Such account takeover attacks can be mitigated if you have enabled two-factor authentication for your Facebook account, preventing hackers from logging into your accounts until or unless they verify the 6-digit passcode sent to your mobile device.
However, any mitigation could not prevent hackers from performing some actions on your behalf leveraging this vulnerability, like changing or deleting your profile pictures or albums or posting anything on your timeline.
Samm0uda reported the vulnerability with the details of his exploit to Facebook on January 26. The social media giant acknowledged the issue and addressed it on January 31, rewarding the researcher with $25,000 as part of Facebook's bug bounty program.