Facebook Bug Would've Allowed for One Click Account Takeovers


Mar 3, 2018
A security researcher spotted a bug in Facebook that would've allowed attackers to take over accounts from users that clicked on a single link. According to Youssef Sammouda, a vulnerable endpoint easily allowed him to makes posts on a user's timeline, delete profile picture, or delete accounts with a single, relatively simple URL. But putting up an external domain with a simple script allowed samm0uda to completely take over Facebook accounts. Fortunately, Facebook's security team is more diligent than most, as they immediately responded to his bug report and fixed it in a matter of days. This security researcher seems to be a particularly prolific bug hunter, as he's posted over a dozen separate exploits in the last month alone, and Facebook has officially listed him as one of their top security researchers. Thanks to The Hacker News for spotting the post.

This bug could have allowed malicious users to send requests with CSRF tokens to arbitrary endpoints on Facebook which could lead to takeover of victims accounts. In order for this attack to be effective, an attacker would have to trick the target into clicking on a link... The attack seems long but it's done in a blink of an eye and it's dangerous because it doesn't target a specific user but anyone who visits the link in step 1.