CSRF from which we can create a support ticket in Victim’s Account (500$)

Rohit kumar
2 min readMay 20, 2021

--

Complete Details
===

I found a CSRF from which we can create a Support ticket with the exact title “Your payouts have been disabled due to suspected fraud” in the victim’s account which may panic victim, but I wanted to report this issue because I think this may have a bigger impact, So I wanted FB team to investigate it and I also want to mention that while initiating this CSRF attack, it takes a value in parameter payee_id which takes PAGE ID in my case, and I noticed I can supply and PAGE ID there

I don’t know what’s going on FB’s Support Representative Side portal, so if there is any IDOR here in param payee_id then the attacker can use this to Trick FB’s Representative

Impact
===
Create a support ticket in the victim’s account

Steps
====

1. Create a test.html page and add this code

<body onload=’window.location.href=”https://business.facebook.com/payments/dcp/payout/support/?payee_id=123&onboarding_type=Dcp&payout_subtype=GTW"'></body>

2. upload it somewhere and send a link to the victim and after opening the link a new report will be created in the victim’s account

3. You can also open this link https://attacker.com/test.html (Step1 performed here), this will also create a report in your account.

This was definitely a low impact issue because we were able to create a support ticket with only specific subject lines, but what about this one? https://rohitcoder.medium.com/victims-anti-csrf-token-could-be-exposed-to-third-party-applications-installed-on-user-s-device-be8e40d511ba i don’t think this also deserves only 500$

--

--

Rohit kumar

✌ Hacking & Security, Programming / Technology - Not all superheroes wear capes, some just push code to Github.