I found a CSRF from which we can create a Support ticket with the exact title “Your payouts have been disabled due to suspected fraud” in the victim’s account which may panic victim, but I wanted to report this issue because I think this may have a bigger impact, So I wanted FB team to investigate it and I also want to mention that while initiating this CSRF attack, it takes a value in parameter payee_id which takes PAGE ID in my case, and I noticed I can supply and PAGE ID there
I don’t know what’s going on FB’s Support Representative Side portal, so if there is any IDOR here in param payee_id then the attacker can use this to Trick FB’s Representative
Create a support ticket in the victim’s account
1. Create a test.html page and add this code
2. upload it somewhere and send a link to the victim and after opening the link a new report will be created in the victim’s account
3. You can also open this link https://attacker.com/test.html (Step1 performed here), this will also create a report in your account.
This was definitely a low impact issue because we were able to create a support ticket with only specific subject lines, but what about this one? https://rohitcoder.medium.com/victims-anti-csrf-token-could-be-exposed-to-third-party-applications-installed-on-user-s-device-be8e40d511ba i don’t think this also deserves only 500$