A flaw found within facebook.com/comet/dialog_DONOTUSE/ was used to avoid CSRF parameters and trick a user into clicking on the malicious link. “This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and make a POST request to that endpoint after adding the fb_dtsg parameter. Also, this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL,” said experts who discovered the vulnerability. This flaw could have even allowed an attacker to delete the account of a targeted user by changing the email address or phone number associated with it, which could allow them to do whatever they wanted with the account.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased