Victim’s Anti CSRF Token could be exposed to Third-party Applications installed on user’s Device (500$)

Complete Details
===
During my investigation, I found that a user’s DTSG token can be exposed to a third-party application because of a broken feature in Facebook’s Creator Studio (Web Version), That broken feature triggers an HTML file download in user’s device, which contains fb_dtsg, hashes, ajaxpipe_token, LoggedIn user details and some other info.

Note: This file gets downloaded in the User’s Download folder which can be easily accessed by any application, So a malicious application can read this info and use it for exploiting csrf on the user’s device.

Expected behavior: A zip file or HTML file with only images/thumbnails should be downloaded.
Actual behavior: A “404 Error” HTML page gets downloaded which contains this info

Impact
===
1. Perform any action with obtained fb_dtsg token
2. Get info of LoggedIn user

Have a look at this PoC Video — https://youtu.be/-2MerrwzQPc

Steps
==
1. Visit https://business.facebook.com/creatorstudio/content_posts
2. Click on 3 dots aside any video to open the “Edit Video” Modal box
3. Now, at the footer of the Modal box you will see three dots click on that
4. Now, click on “Download Generated Thumbnails”
5. This will trigger a download of the HTML file on the user’s device, This file contains all sensitive info like dtsg_token and other details.

Also read https://rohitcoder.medium.com/csrf-from-which-we-can-create-a-support-ticket-in-victims-account-500-c1aa61f99c17 (500$)

--

--

--

✌ Startup Enthusiast, Business Minded, Bug Hunter, Programmer, Astrophile, Learner and Genius :D 😅

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

OneDrive Security: A Full Overview

{UPDATE} imperson8 - Family Party Game Hack Free Resources Generator

Technologies and Tricks Used in Cybercrimes

{UPDATE} Kitesurf - The Ultimate Kiteboarding Simulation Hack Free Resources Generator

Join the Cronos Chain Community

Universe Private Vault with advanced security — designed for high-net-work individuals and…

OPULENT SECURITY

The Complexity of the “Cyber Security” Role — When 52 Becomes One

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rohit kumar

Rohit kumar

✌ Startup Enthusiast, Business Minded, Bug Hunter, Programmer, Astrophile, Learner and Genius :D 😅

More from Medium

log4shell Vulnerability Assessment and How to Fix it

Android Pentest Lab Setup: MobSF Installation on Windows+ [ERROR] Python3 is not installed solved

AppSec Series 0x04: Crowdsourcing Security

The Dirty Pipe Vulnerability