Full Report
Facebook and Instagram accounts are deeply integrated through Accounts Center. This allows users to link identities, share authentication methods, and manage global settings. The integration relies on native SSO flows and redirect-based handoffs between applications. Of course, issues within authentication can be catastrophic. On Facebook, the native SSO login endpoint has three parameters: app_id, token (FXAuth token), and extra_data. The extra_data commonly contains a redirect path, which is verified by the application that depends on it. This endpoint allows redirects to /accounts_center/ for the Instagram application. By using double URL-encoding and path traversal, it's possible to bypass the normally strict redirect endpoint. The end goal of OAuth-based SSO issues is to leak the tokens. With the ability to redirect to any endpoint on Instagram, we don't have the tokens but it's a good starting point. The author found an endpoint that creates a postMessage with the * origin, including the token in its payload. This is the leak of the token that we wanted. This ONLY works if the nonce is set correctly. There's an issue with this, though: the nonce must be legitimate. To get around this, the attacker has to create their own account to generate a valid nonce and use that in the payload. Additionally, the user must be logged in for this primitive to work. So, they use login CSRF to make this work. Finally, we need to generate our own FXAuth token to be signed from accountscenter. The attack is as follows: Victim visits the attacker's site. Attacker uses a login CSRF primitive to log in the user into their account. Attacker website opens a new window with the crafted native SSO URL. Victim confirms the Instragram app. The redirect goes to the vulnerable endpoint to leak the token. This creates a post message to the page to steal the full redirect URL, including the token. Attacker captures the message and extracts the blob to log in to the victim's account. They now have access to the accounts center to manage settings. This leads to a complete account takeover. The exploitation had four parts to it: FXAuth token reuse, weak validation of the redirect parameter, token leakage via postMessage, and email-based CSRF. I appreciate the ability to chain all of these together for an account takeover that requires only two clicks. For this, Facebook paid $30K.
Analysis Summary
# Vulnerability: Two-Click Facebook Account Takeover via FXAuth Token and Blob Theft
## CVE Details
- **CVE ID**: N/A (Meta Bug Bounty Program)
- **CVSS Score**: 9.0 (Estimated - Critical)
- **CWE**: CWE-601 (Open Redirect), CWE-20 (Improper Input Validation), CWE-352 (Cross-Site Request Forgery)
## Affected Systems
- **Products**: Facebook (Web), Instagram (Web), Meta Accounts Center.
- **Versions**: All versions prior to November 5, 2024.
- **Configurations**: User must be logged into Facebook and Instagram (integration through Accounts Center).
## Vulnerability Description
This vulnerability is a complex exploit chain involving four distinct security flaws:
1. **Weak Redirect Validation**: The Facebook native SSO endpoint `https://www.facebook[.]com/login/native_sso/` failed to properly sanitize the `extra_data` parameter. Using double URL-encoding and path traversal (e.g., `%252%0DE`), an attacker could bypass strict prefix checks for `/accounts_center/`.
2. **Sensitive Information Leakage (postMessage)**: An Instagram endpoint `/billing_interfaces/external_result` was found to broadcast the full URL (including sensitive `token` and `blob` parameters) via `postMessage` to its `opener` or `parent` window with a wildcard (`*`) origin, provided a valid `nonce` was supplied.
3. **Login CSRF**: Instagram’s email-based login flow (`/_n/web_emaillogin`) allowed an attacker to force a victim's browser to log into an attacker-controlled Instagram account without user interaction.
4. **FXAuth Token Reuse**: The ability to reuse and sign FXAuth tokens across different flow contexts allowed the attacker to initiate the SSO process on behalf of the victim.
## Exploitation
- **Status**: PoC available; addressed by vendor.
- **Complexity**: Medium (Requires chaining multiple primitives and a valid attacker-generated nonce).
- **Attack Vector**: Network (Web-based).
The attack requires the victim to visit an attacker-controlled site and perform two clicks (to confirm the app integration). The attacker forces a login to their own Instagram account on the victim's browser, triggers the SSO flow, and captures the leaked `token` and `blob` via the `postMessage` event listener.
## Impact
- **Confidentiality**: High (Theft of authentication tokens and account blobs).
- **Integrity**: High (Attacker can link their Instagram to the victim’s Facebook, taking over settings).
- **Availability**: High (Complete account takeover; bypasses 2FA/passwords via Accounts Center).
## Remediation
### Patches
- Meta deployed a server-side fix on **November 5, 2024**, to address the redirect validation and the sensitive data leakage in the `postMessage` payload.
### Workarounds
- Users should ensure they are running up-to-date browser versions and monitor their **Accounts Center** for any unrecognized linked accounts (Instagram/Facebook).
## Detection
- **IOCs**: Unexpected logins to unrecognized Instagram accounts within the same browser session; redirects to `https://www.facebook[.]com/login/native_sso/` containing path traversal characters.
- **Methods**: Monitoring for `postMessage` events with `targetOrigin: '*'` containing sensitive parameters (`token`, `blob`, `nonce`).
## References
- [Youssef Sammouda (sam0) Personal Blog](https://ysamm[.]com/)
- [Meta Bug Bounty Program](https://www.facebook[.]com/whitehat)