Facebook CSRF closed vulnerability

The vulnerability was discovered by Josip Franjković and fixed about two months ago, and yesterday the author told about it on the pyx.io blog . The bug has similarity with the discovery of Dan Melamed .

For the exploit, you needed a Facebook account, mail on Outlook.com and a victim. At the same time, email in Outlook should not be linked to your Facebook account.

Facebook has a feature in Find Contacts on Facebook (Find contacts on Facebook), which invites contacts from your contact list and adds email to your account.

When you allow Facebook access to your Outlook contact book, a GET request is made to
m.facebook.com/contact-importer/login/?api_instance=1&api_ver=wave5&auth_token=TOKEN
which adds email to your account.
')
Valid token received by the author:

 {"code":"2c59ed24-8674-a76a-3232-6fse0d6d5cc7", "redirect_uri":"https://www.facebook.com/accept_token.php?api_ver=wave5&csrf=AQDt6cT& appdata={"use_case":1,"type":1,"flow":30,"domain_id":4,"tracked_params":"[]","enc_uid":"AdjjCVjSQ3I1RFRllRz81ohsy737W7oipkrAYKmCYISHLHcmzi55G4GaGckcSCP97t0", "post_login_redirect":"https:\/\/m.facebook.com\/contact-importer\/login\/?api_instance=1&api_ver=wave5"}"} 

There were no checks in this request, and therefore it could be repeated as many as you like. The trouble is that the same method worked for other users.

The algorithm of actions of a potential attacker was as follows: use "Search for contacts on Facebook" from your account, while logging all requests; find a request to /contact-importer/login , unbind the added email from your account and in any way force the victim to make a request to /contact-importer/login . Now email will be added to the victim's account, and you can use the “Forgot your password” feature to access it.

Video with a demonstration of the exploit: