Victim’s Anti CSRF Token could be exposed to Third-party Applications installed on user’s Device (500$)

Complete Details
During my investigation, I found that a user’s DTSG token can be exposed to a third-party application because of a broken feature in Facebook’s Creator Studio (Web Version), That broken feature triggers an HTML file download in user’s device, which contains fb_dtsg, hashes, ajaxpipe_token, LoggedIn user details and some other info.

Note: This file gets downloaded in the User’s Download folder which can be easily accessed by any application, So a malicious application can read this info and use it for exploiting csrf on the user’s device.

Expected behavior: A zip file or HTML file with only images/thumbnails should be downloaded.
Actual behavior: A “404 Error” HTML page gets downloaded which contains this info

1. Perform any action with obtained fb_dtsg token
2. Get info of LoggedIn user

Have a look at this PoC Video —

1. Visit
2. Click on 3 dots aside any video to open the “Edit Video” Modal box
3. Now, at the footer of the Modal box you will see three dots click on that
4. Now, click on “Download Generated Thumbnails”
5. This will trigger a download of the HTML file on the user’s device, This file contains all sensitive info like dtsg_token and other details.

Also read (500$)

✌ Startup Enthusiast, Business Minded, Bug Hunter, Programmer, Astrophile, Learner and Genius :D 😅

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store