Sunday, 11 January 2015
One comments

Facebook Vulnerability Allows to Video-Call Mark Zuckerberg!


Facebook Vulnerability Allows to Video-Call Mark Zuckerberg!

Have you ever desired to Video-Call the Founder of Facebook?
Well, with this Vulnerability it's still possible!.

The following used vulnerability allows with a GET (In-URI) CSRF Parameter to avoid the Video-Calling blocks into Mark Zuckerberg Privacy Setting's.

.First let me introduce what a CSRF Vulnerability IS:

"A Cross-Site Request Forgery (CSRF) Vulnerability is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user?s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated." (*)

Now, Let's start analyzing it!
First we start from this URL (like we are actually Video-Calling one of our Friends):

https://www.facebook.com/videocall/incall/

When we've identified the Vulnerable GET Parameter, we may apply it as below!

https://www.facebook.com/videocall/incall/?peer_id=

After the peer_id= parameter, we'll insert Mark Zuckerberg ID (which is id=4)

So, definitely, the Complete URL, will look like this below:

https://www.facebook.com/videocall/incall/?peer_id=4



Regarding this Bug, Facebook Security Team have not yet released a FIX, on the fact continuing to allow Attackers to use this flaw against the whole Social Community!.

Reference: OWASP CSRF Guide
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet


About the Author :
Christian Galeone is a Cyber Security Researcher from Italy, he's currently studying to ITCL Marco Polo ( Vocational Technical Institute | Vo-Tech ) attending the IT Programming Class.
He has been Acknowledged by the TOP 5 Companies including Yahoo!, Microsoft, AT&T, Sony etc. He is currently working with HOC as author of Cyber Security & Critical Tools Research Articles.

1 comments:

  1. Very good Post, well written and very thought out. I am looking forward to reading more of your posts in the future and your blogs is marvelous.
    Thanks
    Susanne Green
    medical assistant

    ReplyDelete

Note: only a member of this blog may post a comment.

 
Toggle Footer
Top