Discovered 2 new Facebook vulnerabilities


The Security researcher Dan Melamed has found two new Facebook vulnerabilities.

Security researcher Dan Melamed has found 2 new Facebook vulnerabilities that has been recently patched and that I decided to shows you to understand the infinite possibilities an attacker have to hit also a robust platform like FB.

The Facebook vulnerabilities are considerable a medium-severity bug and allow an attacker to invite any user to like a Facebook Fanpage. Dan Melamed has found 2 Facebook vulnerabilities within the Facebook Fan Page:

  1. A Facebook Fanpage Invite Exploit to invite any Facebook user to like a Fanpage even if they are not my friend
  2. A Cross Site Request Forgery (CSRF) flaw
It is explianed by Dan that a spammer can design a bot to collect FB ID and spam the friend invites to like his fan page, interestingly CSRF allows the spammer to sent the invites on other user behalf.

“To reproduce this flaw, you first visit a link with the ID of the page you want to invite friends to: will see a list of your friends to invite. When clicking to invite someone, you change the invitee_id parameter in the HTTP request to another Facebook user id that belongs to someone who is not in your friends list.”The CSRF flaw was that the request was using the GET method without any anti-csrftokens: the link above would invite Mark Zuckerberg (profile id: 4) to like your fanpage.”

Following the video of the Poc:
Facebook Vulnerabilities POC
Excellent the reply of the Facebook security team that fixed the Facebook vulnerabilities, after the fix was applied the link requires a POST method which includes the fb_dtsg token preventing to send invites to people who are not on attacker friends list.