About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Facebook SMS Captcha Was Vulnerable to CSRF Attack- 998

Lokesh KumarPosted 3 Years Ago
  • Recently, the author of this post had found an issue with the account recovery flow. While trying to send multiple OTP codes, they hit an SMS captcha flow. Most people would stop here, but the author decided to check out the format of the captcha.
  • The captcha URL had a parameter called next. This parameter could be pointed to sensitive GraphQL operations, such as posting to the timeline or changing email privacy settings.
  • What this turns into is a CSRF attack, since the POST request will send the CSRF token (since it's a request being made from the page). The CSRF is triggered if a user clicks the continue button from the captcha with the malicious URL.
  • I'd personally never seen a bug like this! Seeing a URL control all of the content of a request is pretty interesting. The fix for this was adding a message authentication code (MAC) to ensure the URL couldn't be tampered with. Additionally, only a proper OTP code can trigger the action URL now.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed