Victim’s Anti CSRF Token could be exposed to Third-party Applications installed on user’s Device (500$)

Complete Details
During my investigation, I found that a user’s DTSG token can be exposed to a third-party application because of a broken feature in Facebook’s Creator Studio (Web Version), That broken feature triggers an HTML file download in user’s device, which contains fb_dtsg, hashes, ajaxpipe_token, LoggedIn user details and some other info.

Note: This file gets downloaded in the User’s Download folder which can be easily accessed by any application, So a malicious application can read this info and use it for exploiting csrf on the user’s device.

Expected behavior: A zip file or HTML file with only images/thumbnails should be downloaded.
Actual behavior: A “404 Error” HTML page gets downloaded which contains this info

1. Perform any action with obtained fb_dtsg token
2. Get info of LoggedIn user

Have a look at this PoC Video —

1. Visit
2. Click on 3 dots aside any video to open the “Edit Video” Modal box
3. Now, at the footer of the Modal box you will see three dots click on that
4. Now, click on “Download Generated Thumbnails”
5. This will trigger a download of the HTML file on the user’s device, This file contains all sensitive info like dtsg_token and other details.

Also read (500$)




✌ Startup Enthusiast, Business Minded, Bug Hunter, Programmer, Astrophile, Learner and Genius :D 😅

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Blue Team-System Live Analysis [Part 8]- Windows: User Account Forensics- Profile Folder, AppData…

Guide to Private and Secure Operating Systems

In IoT, How Can We Represent Binary Data Objects and Integrate Security?

Blockchain is the key to unlock the world post-Pandemic.

POFID anonymous transactions, personal information protection is the problem that DeFi must face.

A Foolproof Guide To WordPress Security

Epic Women in Cyber — Katlyn Gallo

Best Tips to Hiring a Hacker For Phone Monitoring

I Need a Hacker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rohit kumar

Rohit kumar

✌ Startup Enthusiast, Business Minded, Bug Hunter, Programmer, Astrophile, Learner and Genius :D 😅

More from Medium

FileZilla Client — Cleartext Storage of Sensitive Information in Memory Vulnerability…

Warning for Android users BRATA Virus Mobile Banking App may be hacked.

Internet-Wide Study: State Of SPF, DKIM, And DMARC — RedHunt Labs

Paper (HTB)- Walkthrough/Writeup