It’s 2019, and just clicking on a specially crafted URL would have allowed an attacker to hack your Facebook account without any further interaction.A security researcher discovered a critical cross-site request forgery (CSRF) vulnerability in the most popular social media platform that could have been allowed attackers to hijack Facebook accounts by simply tricking the targeted users into clicking on a link.The researcher, who goes by the online alias “Samm0uda,” discovered the vulnerability after he spotted a flawed endpoint ( that could have been exploited to bypass CSRF protections and takeover victim’s account.

“This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and makes a POST request to that endpoint after adding the fb_dtsg parameter,” the researcher says on his blog.”Also this endpoint is located under the main domain which makes it easier for the attacker to trick his victims to visit the URL.”

All the attacker needs to do is trick the victims into clicking a specially crafted Facebook URL, as mentioned on his blog, designed to perform various actions like posting anything on their timeline, change or delete their profile picture, and even trick users into deleting their entire Facebook accounts.1-Click Exploit to Completely Take Over Facebook Accounts
Taking over full control of the victims’ accounts or tricking them into deleting their entire Facebook account requires some extra efforts from the attacker’s side, as victims need to enter their password before the account is deleted.To do this, the researcher said it would require the victims to visit two separate URLs, one to add the email or phone number and one to confirm it.It’s “because the ‘normal’ endpoints used to add emails …

Go to Source


Comments are closed.