Facebook Vulnerability Allows to Video-Call Mark Zuckerberg!
Have you ever desired to Video-Call the Founder of Facebook?
Well if your ans is yes then with this Vulnerability it's still possible!.
The following used vulnerability allows with a GET (In-URI) CSRF Parameter to avoid the Video-Calling blocks into Mark Zuckerberg Privacy Setting's.
First let me introduce what a CSRF Vulnerability IS:
"A Cross-Site Request Forgery (CSRF) Vulnerability is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated."
Now, Let's start analyzing it!
First we start from this URL (like we are actually Video-Calling one of our Friends):
https://www.facebook.com/videocall/incall/
When we've identified the Vulnerable GET Parameter, we may apply it as below!
https://www.facebook.com/videocall/incall/?peer_id=
After the peer_id= parameter, we'll insert Mark Zuckerberg ID (which is id=4)
So, definitely, the Complete URL, will look like this below:
https://www.facebook.com/videocall/incall/?peer_id=4
Regarding this Bug, Facebook Security Team have not yet released a FIX, on the fact continuing to allow Attackers to use this flaw against the whole Social Community!.
Have you ever desired to Video-Call the Founder of Facebook?
Well if your ans is yes then with this Vulnerability it's still possible!.
The following used vulnerability allows with a GET (In-URI) CSRF Parameter to avoid the Video-Calling blocks into Mark Zuckerberg Privacy Setting's.
First let me introduce what a CSRF Vulnerability IS:
"A Cross-Site Request Forgery (CSRF) Vulnerability is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated."
Now, Let's start analyzing it!
First we start from this URL (like we are actually Video-Calling one of our Friends):
https://www.facebook.com/videocall/incall/
When we've identified the Vulnerable GET Parameter, we may apply it as below!
https://www.facebook.com/videocall/incall/?peer_id=
After the peer_id= parameter, we'll insert Mark Zuckerberg ID (which is id=4)
So, definitely, the Complete URL, will look like this below:
https://www.facebook.com/videocall/incall/?peer_id=4
Regarding this Bug, Facebook Security Team have not yet released a FIX, on the fact continuing to allow Attackers to use this flaw against the whole Social Community!.
0 comments:
Post a Comment