Full Report
Recently, the author of this post had found an issue with the account recovery flow. While trying to send multiple OTP codes, they hit an SMS captcha flow. Most people would stop here, but the author decided to check out the format of the captcha. The captcha URL had a parameter called next. This parameter could be pointed to sensitive GraphQL operations, such as posting to the timeline or changing email privacy settings. What this turns into is a CSRF attack, since the POST request will send the CSRF token (since it's a request being made from the page). The CSRF is triggered if a user clicks the continue button from the captcha with the malicious URL. I'd personally never seen a bug like this! Seeing a URL control all of the content of a request is pretty interesting. The fix for this was adding a message authentication code (MAC) to ensure the URL couldn't be tampered with. Additionally, only a proper OTP code can trigger the action URL now.
Analysis Summary
# Vulnerability: Facebook SMS Captcha CSRF via Parameter Tampering
## CVE Details
- **CVE ID**: Not Assigned (Disclosed via Meta Bug Bounty Program)
- **CVSS Score**: Estimated 8.3 (High)
- **CWE**: CWE-352 (Cross-Site Request Forgery), CWE-601 (Open Redirect / URL Redirection to Sensitive Site)
## Affected Systems
- **Products**: Meta / Facebook Web Platform
- **Versions**: All web versions prior to February 2022
- **Configurations**: User accounts entering the account recovery flow that trigger an SMS OTP Captcha challenge (often caused by multiple OTP requests).
## Vulnerability Description
The SMS Captcha flow in Facebook’s account recovery process utilized a `next` parameter in the URL to determine the destination of the user after successfully solving the captcha.
The application failed to sufficiently validate this parameter or sign it. When a user clicked "Continue" on the captcha page, the platform would initiate a POST request to the path specified in the `next` parameter. Because the request originated from a legitimate Facebook domain, the browser automatically included the user's valid CSRF token (`fb_dtsg`). This allowed an attacker to force a authenticated user to perform sensitive GraphQL operations (like changing privacy settings or posting to a timeline) simply by tricking them into solving a captcha on a malicious URL.
## Exploitation
- **Status**: PoC available (demonstrated by researcher; patched by vendor)
- **Complexity**: Low
- **Attack Vector**: Network (Requires social engineering to lure a victim to the malicious URL)
## Impact
- **Confidentiality**: High (Can be used to change privacy settings or deanonymize contact points)
- **Integrity**: High (Can allow posting content, updating email addresses, or deleting account data)
- **Availability**: Medium (Can result in account lockouts/modifications)
## Remediation
### Patches
- **Meta Platform Update (Feb 2022)**: Meta deployed a fix that implements Message Authentication Codes (MAC) via a new parameter: `next_mac`. This ensures the redirection URL cannot be tampered with by an attacker.
### Workarounds
- No user-side workarounds exist for the specific flaw; however, users should always inspect the URL of any page asking for security verification to ensure they are on the legitimate `facebook.com` domain without suspicious trailing parameters.
## Detection
- **Indicators of Compromise**: Presence of unexpected or sensitive GraphQL endpoints (e.g., `/api/graphql/`) value within the `next=` parameter of an SMS Captcha URL.
- **Detection Methods**: Security researchers can audits account recovery flows for "Redirect-to-POST" patterns where CSRF tokens are automatically appended to user-controlled destinations.
## References
- **Researcher Write-up**: hxxps[://]lokeshdlk77[.]medium[.]com/facebook-sms-captcha-was-vulnerable-to-csrf-attack-8db537b1e980
- **Video PoC**: hxxps[://]youtu[.]be/JcCPjL4aycI
- **Vendor Advisory**: Meta Bug Bounty (Internal Tracked)