Session Expiration Bypass in Facebook Creator App

Ajay Gautam
Oct 24 · 3 min read

Hello everybody,

Welcome back to my medium after many days. Sorry for not publishing anything for a long time, these days I was busy with some personal work. Today am going to share one cool bug that I found in the facebook creator app which I had already shown in the Pentester Nepal Monthly meetup program.

So, first of all, let me elaborate some more about the facebook creator app.

Facebook Creator Studio lets creators and publishers manage posts, insights and messages from all of your Facebook Pages in one place.”

So, talking more about the security issue that I found in the facebook creator app, I was able to publish a post or delete a post or do all the malicious activities that we can do from creator app even after the session has expired.

How I was able to bypass the session expiration?

When we log out all the logged-in devices from Security and Login then it shows session expired on facebook creator app but the session was not actually expired in the app. This is how the session expired message was shown.

Session Expired
Session Expired

but how I was able to post, delete or send a message after this too.

For exploiting this vulnerability, I used two devices i.e my phone and my laptop.

  1. I logged into both the devices
  2. I logged out all the active sessions of the Facebook creator app from my laptop.
  3. Session Expired message was shown on my phone.
  4. I then turned my phone mobile data or wifi off.
  5. I closed all the running app and reopened the Facebook Creator app.
  6. I tried to create a post without turning on wifi or mobile data.
  7. While clicking Publish post I turned on my wifi and Post was successfully created.
  8. After Post was successfully created, Session Expired Message was Shown :)

For deleting posts and for other malicious activities same procedure could have helped me. I was awarded 1500$ for this vulnerability.

Bounty Awarded From Facebook

Impact

Once I logged into someone's Facebook account then I could have used that account for a lifetime even after the victim log outs all the devices or change his password.

Now App has been removed from Facebook.

Timeline

Reported: Aug 1, 2018

Triaged: Aug 30, 2018

Patched: Feb 28, 2019

Bounty Awarded: Apr 10, 2019

Video POC:


Ajay Gautam

Written by

Chief Information Security Officer at NASSec

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade