hey all here is ameer hamza, Facebook has recently introduced login with phone functionality if you have forgotten your password. however I was able to exploit it which leads to access the facebook account.login with phone button pops a qr code to scan :
so i thought why not try to break it ?
firstly i tried to decode the qrcode using QrCode Decoder here is what i got :
open the url these are the options I got :
just capture the request and send it to repeater while dropping the request too so that the code don’t get expired ,changed the fb_dtsg value to AQG8uIRB5b_U:AQHYfzdc7AB from AQG8uIRB5b_U:AQHYfzdc7VMV and it just got accepted ! 😀 (no screenshot available -_-)
Didn’t thinking for a while to create a csrf form :
Shit! the request got aborted :/ :
for understanding all the shit qr code does. monitored all the request again and after 2 to 3 hours of brainfuc*k hence, came to know that its important for the victim to open the link first so that the fb server could detect it as scanning the qr code . i quickly made the csrf form again :
and here comes the response 😀 :
I was like :
tested it on 2,3 accounts and hopefully this bug was legit ! and here is the poc I made:
after three days of waiting and 4 any update replies this got duplicated 🙁 :
Bug : Qr code’s allow login/i wasn’t trying to login form was vulnerable to csrf
Impact : this security issue leads any attacker to gain access of the victims account.
Reward : n/a
That’s all fellas ! Hope you enjoyed my write up , Thanks to Muhammad Khizer Javed
Best Regards, Ameer Hamza
I’m confused… you have to already have access to the account in order to get the qr code , so what exactly was the attack here? You used the login to login to an account you already had access to?
Good job man
I have reported it last month, that’s why you have got it duplicate. Anyways nice blog.