HOW I WAS ABLE TO TAKEOVER FACEBOOK ACCOUNT | Bug Bounty Poc

hey all here is ameer hamza,  Facebook has recently introduced login with phone functionality if you have forgotten your password. however I was able to exploit it which leads to access the facebook account.login with phone  button pops  a qr code to scan :

qrcodefbtopoc

so i thought why not try to break it ?

GMEMEFBTOPOC

firstly i tried to decode the qrcode using QrCode Decoder  here is what i got :

qrdecodefbtopoc

the url i got was : https://m.facebook.com/xdl/approve/?n=AYK8pQLRNK7UtXH77qI48xUnEHXb0rf2ySjUTHVjA6H-pU5gkI1JPYzit6wCp2z1tTNKZbXScD4MUshQuaP5M9H9j0e_x2ZK0ee9jkjLvv5-sQ&d=AYItt0ByoBCJEFQNGwike6sOHJyPJvDTCOruRgesi-7vvdIm4T3g22-FUW0f0Jph6gPYE3t10SddJ-rS7fg-z9VI&ext=1512136729&hash=AYKa_wmq-7CeeTac

open the url  these are the options I got :

allowlfbtopoc

just capture the request and send it to repeater while dropping the request too so that the code don’t get expired ,changed the fb_dtsg value to  AQG8uIRB5b_U:AQHYfzdc7AB  from AQG8uIRB5b_U:AQHYfzdc7VMV and it just got accepted ! 😀 (no screenshot available -_-)

Didn’t thinking for a while to create a csrf form :

form1fbtopoc

Shit! the request got aborted :/ :

form1resfbtopoc

for understanding all the shit  qr code does. monitored all the request again and after  2 to 3 hours of brainfuc*k hence, came to know that its important for the victim to open the link first so that the fb server could detect it as scanning the qr code . i quickly made the csrf form again  :

form2fbtopoc

and here comes the response 😀 :

thumbnail

I was like : That's all Folks

tested it on 2,3 accounts and hopefully this bug was legit ! and here is the  poc I made:

after three days of waiting and 4 any update replies this got duplicated  🙁  :

duplicatedfbto

Bug : Qr code’s allow login/i wasn’t trying to login form was vulnerable to csrf

Impact : this security issue leads any attacker to gain access of the victims account.

Reward : n/a

That’s all fellas ! Hope you enjoyed my write up ,  Thanks to Muhammad Khizer Javed 

Best Regards,                                                                                                                                   Ameer Hamza

About the Author

2 thoughts on “HOW I WAS ABLE TO TAKEOVER FACEBOOK ACCOUNT | Bug Bounty Poc

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: