Victim’s Anti CSRF Token could be exposed to Third-party Applications installed on user’s Device (500$)
During my investigation, I found that a user’s DTSG token can be exposed to a third-party application because of a broken feature in Facebook’s Creator Studio (Web Version), That broken feature triggers an HTML file download in user’s device, which contains fb_dtsg, hashes, ajaxpipe_token, LoggedIn user details and some other info.
Note: This file gets downloaded in the User’s Download folder which can be easily accessed by any application, So a malicious application can read this info and use it for exploiting csrf on the user’s device.
Expected behavior: A zip file or HTML file with only images/thumbnails should be downloaded.
Actual behavior: A “404 Error” HTML page gets downloaded which contains this info
1. Perform any action with obtained fb_dtsg token
2. Get info of LoggedIn user
Have a look at this PoC Video — https://youtu.be/-2MerrwzQPc
1. Visit https://business.facebook.com/creatorstudio/content_posts
2. Click on 3 dots aside any video to open the “Edit Video” Modal box
3. Now, at the footer of the Modal box you will see three dots click on that
4. Now, click on “Download Generated Thumbnails”
5. This will trigger a download of the HTML file on the user’s device, This file contains all sensitive info like dtsg_token and other details.