Broken session management leads to bypass 2FA and Permanent access to Facebook user’s

Image for post
Image for post
Zuck

The story began when i received a notification from a friend about a donation campaign for his birthday. while using Facebook-App (IOS) when i tried to click donate button it redirected me to Web-browser version to make a donation using Creditcard or Paypal, throw this endpoint {/donation/login/?nonce=xxxxx&uid=xxxxxx}

Image for post
Image for post
Donation Feature

https://m.facebook.com/donation/login/?nonce=xxxxxx&uid={USER_ID}

I noticed that when go to Facebook.com in your Web Browser even if you didn’t signed in with your Facebook account the Facebook will automatically redirect you to your Facebook-Account without any password or any authentication !!

So I did the same scenario again but I copied the link https://m.facebook.com/donation/login/?nonce=xxxxxx&uid={USER_ID} and sent it to a friend i noticed that he got access to my Facebook account without any authentication (2FA — Password) and if you tried to change your password he’ll still has access to your Facebook !!

Steps :

2. Try to make a donation
3. You will be redirected to endpoint “https://m.facebook.com/donation/login/?nonce=xxxxxx&uid=xxxxxx “
4. Copy this link and try to use it from another device which you didn’t signed-in with your Account before.
5. Go to Facebook.com then you will be redirected automatically to the victim account.
6. Getting access into the Facebook account without Password or 2FA (even if the victim changed the password or remove all session you will still getting access to Facebook account.)

Impact :

  1. Bypassing any authentication.

Timeline

Image for post
Image for post
Bounty awarded

Happy Hacking!!

@0xBarakat

Written by

Student in the morning, Hacker at night.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store