The H – (International) A $5,000 vulnerability in Facebook. A security researcher disclosed a security hole in Facebook’s Web site. The cross-site request forgery (CSRF) flaw allows an attacker to execute actions as a logged-in user by accessing specific URLs. After Facebook introduced its App Center functionality, the researcher found the anti-CSRF tokens in HTTP requests are not validated on the server side and an attacker is therefore able to add applications on the platform as another user. To execute this attack, the attacker needs the victim to visit a specially crafted Web site, after which malicious applications can be planted on the App Center. AntiCSRF measures like the ones employed by Facebook are supposed to prevent this kind of attack by generating a token with every valid session that must be sent with every request. Scripts on other Web sites have no access to this token and therefore can not generate valid requests. In Facebook’s case, the App Center pages did not actually - 18 - check the token for validity, which allowed anyone to send bogus requests and have them accepted. The Facebook Security team fixed the vulnerability within 1 day of being contacted by the researcher.
Ali Loney, on August 23, 2012