hey all here is ameer hamza,  Facebook has recently introduced login with phone functionality if you have forgotten your password. however I was able to exploit it which leads to access the facebook account.login with phone  button pops  a qr code to scan :


so i thought why not try to break it ?


firstly i tried to decode the qrcode using QrCode Decoder  here is what i got :


the url i got was : https://m.facebook.com/xdl/approve/?n=AYK8pQLRNK7UtXH77qI48xUnEHXb0rf2ySjUTHVjA6H-pU5gkI1JPYzit6wCp2z1tTNKZbXScD4MUshQuaP5M9H9j0e_x2ZK0ee9jkjLvv5-sQ&d=AYItt0ByoBCJEFQNGwike6sOHJyPJvDTCOruRgesi-7vvdIm4T3g22-FUW0f0Jph6gPYE3t10SddJ-rS7fg-z9VI&ext=1512136729&hash=AYKa_wmq-7CeeTac

open the url  these are the options I got :


just capture the request and send it to repeater while dropping the request too so that the code don’t get expired ,changed the fb_dtsg value to  AQG8uIRB5b_U:AQHYfzdc7AB  from AQG8uIRB5b_U:AQHYfzdc7VMV and it just got accepted ! 😀 (no screenshot available -_-)

Didn’t thinking for a while to create a csrf form :


Shit! the request got aborted :/ :


for understanding all the shit  qr code does. monitored all the request again and after  2 to 3 hours of brainfuc*k hence, came to know that its important for the victim to open the link first so that the fb server could detect it as scanning the qr code . i quickly made the csrf form again  :


and here comes the response 😀 :


I was like : That's all Folks

tested it on 2,3 accounts and hopefully this bug was legit ! and here is the  poc I made:

after three days of waiting and 4 any update replies this got duplicated  🙁  :


Bug : Qr code’s allow login/i wasn’t trying to login form was vulnerable to csrf

Impact : this security issue leads any attacker to gain access of the victims account.

Reward : n/a

That’s all fellas ! Hope you enjoyed my write up ,  Thanks to Muhammad Khizer Javed 

Best Regards,                                                                                                                                   Ameer Hamza