A flaw found within facebook.com/comet/dialog_DONOTUSE/ was used to avoid CSRF parameters and trick a user into clicking on the malicious link. “This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and make a POST request to that endpoint after adding the fb_dtsg parameter. Also, this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL,” said experts who discovered the vulnerability. This flaw could have even allowed an attacker to delete the account of a targeted user by changing the email address or phone number associated with it, which could allow them to do whatever they wanted with the account.
Facebook Paid off $25,000 CSRF Vulnerability
Users should make sure their anti-virus software is up to date. When finished using a site, always make sure to log off and not just minimize the page. Do not save login ID or passwords within the browser. Scripting should also be disabled within a user’s browser.