Cross Site Request Forgery in Facebook

Victim having facebook account with number (+9233320xxxxx) — (Number
is confirmed on that account)

Attacker having facebook account with same number (+9233320xxxxx) — (
But number is unconfirmed on that id) Or Attacker can add that number
to any facebook account but (unconfirmed)

According to Facebook Policy User(s) can confirm that specific number
in each account. They can add that same number with multiple
account(s) but confirmed with only one account.

“In 2016 i reported facebook that i am able to add any number in my
facebook id(unconfirmed). But that number will display on my Facebook
so i can impersonate someone’s identify. They said “We are already
aware of the situation” and this is not a bug.”

In 2016 december i found out that i am able to reset password with
unconfirmed number(s) and email(s). So as an attacker i sent password
reset request to (+9233320xxxxx). But i was not able to get any code +
url to reset password because of being an attacker i did not have physical access
on that number.

But as a victim i got message from 32665 (FBOOK) that

“Your password reset code is 283923 and URL https://www.fb.com/h2hdj232

As a victim i clicked on that encoded link
(https://www.fb.com/h2hdj232). After a single click on that encoded
link. The number (+9233320xxxxx) was deleted from victim’s account and
added into attacker’s facebook account.

Actualy when victim clicked on encoded link the number was deleted from
the victim’s id and added into attacker’s account because victim was 
redirected to the attacker’s facebook account.

I submitted report and got reply from Neal
========================================
Hi Zahid,
Got it. The ability to reset the account via these methods is not the
problem: the problem is that we confirm the email or phone number when
someone simply clicks a link which isn’t clear that it will confirm
the account. I’ll follow up with the team about it.
Thanks,
Neal
Security

========================================

After a few hours i got another reply from Neal

========================================
Hi Zahid,
We’ve temporarily disabled the ability to perform password recovery
via unconfirmed phone numbers as a mitigation.
Thanks,
Neal
Security

========================================

I asked Neal, if this is a valid bug ?

========================================
Hi Zahid,
Yes, we’re going to change the circumstances in which we allow phone
confirmations to happen in this flow.
Thanks,
Neal
Security

========================================

I found multiple bugs in Facebook and i am in the hall of fame
2015/2016 and now 2017. I hope this POC was helpful.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.