CSRF from which we can create a support ticket in Victim’s Account (500$)

Complete Details
===

I found a CSRF from which we can create a Support ticket with the exact title “Your payouts have been disabled due to suspected fraud” in the victim’s account which may panic victim, but I wanted to report this issue because I think this may have a bigger impact, So I wanted FB team to investigate it and I also want to mention that while initiating this CSRF attack, it takes a value in parameter payee_id which takes PAGE ID in my case, and I noticed I can supply and PAGE ID there

I don’t know what’s going on FB’s Support Representative Side portal, so if there is any IDOR here in param payee_id then the attacker can use this to Trick FB’s Representative

Impact
===
Create a support ticket in the victim’s account

Steps
====

1. Create a test.html page and add this code

<body onload=’window.location.href=”https://business.facebook.com/payments/dcp/payout/support/?payee_id=123&onboarding_type=Dcp&payout_subtype=GTW"'></body>

2. upload it somewhere and send a link to the victim and after opening the link a new report will be created in the victim’s account

3. You can also open this link https://attacker.com/test.html (Step1 performed here), this will also create a report in your account.

This was definitely a low impact issue because we were able to create a support ticket with only specific subject lines, but what about this one? https://rohitcoder.medium.com/victims-anti-csrf-token-could-be-exposed-to-third-party-applications-installed-on-user-s-device-be8e40d511ba i don’t think this also deserves only 500$

--

--

--

✌ Startup Enthusiast, Business Minded, Bug Hunter, Programmer, Astrophile, Learner and Genius :D 😅

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Introducing Coin Wallet V3 and Coin Swap

Security Testing: From The Inside Out

{UPDATE} Exotic Slots Hack Free Resources Generator

CSRF PROTECTION WITH SYNCHRONIZER TOKEN PATTERNS

Nikto Tool Basics

Epix Now (AutoReplacements) ⋆ 12 Months Warranty

E-Commerce Development: Safety Comes First

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rohit kumar

Rohit kumar

✌ Startup Enthusiast, Business Minded, Bug Hunter, Programmer, Astrophile, Learner and Genius :D 😅

More from Medium

The forested coastal wetlands of Texas’ Columbia Bottomlands

Embracing Synesthesia for folks with impairment

Leaving Your Job? Don’t Forget Your Stock Options…

The Most Powerful Unexpected Moment of My Year