Session Expiration Bypass in Facebook Creator App

Hello everybody,

Welcome back to my medium after many days. Sorry for not publishing anything for a long time, these days I was busy with some personal work. Today am going to share one cool bug that I found in the facebook creator app which I had already shown in the Pentester Nepal Monthly meetup program.

So, first of all, let me elaborate some more about the facebook creator app.

Facebook Creator Studio lets creators and publishers manage posts, insights and messages from all of your Facebook Pages in one place.”

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

So, talking more about the security issue that I found in the facebook creator app, I was able to publish a post or delete a post or do all the malicious activities that we can do from creator app even after the session has expired.

How I was able to bypass the session expiration?

When we log out all the logged-in devices from Security and Login then it shows session expired on facebook creator app but the session was not actually expired in the app. This is how the session expired message was shown.

Session Expired
Session Expired

but how I was able to post, delete or send a message after this too.

For exploiting this vulnerability, I used two devices i.e my phone and my laptop.

  1. I logged into both the devices
  2. I logged out all the active sessions of the Facebook creator app from my laptop.
  3. Session Expired message was shown on my phone.
  4. I then turned my phone mobile data or wifi off.
  5. I closed all the running app and reopened the Facebook Creator app.
  6. I tried to create a post without turning on wifi or mobile data.
  7. While clicking Publish post I turned on my wifi and Post was successfully created.
  8. After Post was successfully created, Session Expired Message was Shown :)

For deleting posts and for other malicious activities same procedure could have helped me. I was awarded 1500$ for this vulnerability.

Image for post
Image for post
Bounty Awarded From Facebook

Impact

Once I logged into someone's Facebook account then I could have used that account for a lifetime even after the victim log outs all the devices or change his password.

Now App has been removed from Facebook.

Timeline

Reported: Aug 1, 2018

Triaged: Aug 30, 2018

Patched: Feb 28, 2019

Bounty Awarded: Apr 10, 2019

Video POC:

Written by

Head of Security at NASSec

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store