How to Delete Facebook friends of any user by exploiting CSRF vulnerability

By Partho, Gaea News Network
Tuesday, May 25, 2010

Whack! Facebook’s not on the good books now. It’s time the geeky fellas to break the walls. We had already discussed about the Facebook vulnerability, it’s time to work around it. If you have a Facebook friend who’s always poking in on your friends, here’s your turn to give him a tough time. Well, Facebook’s all about loops and holes, you gotta make most of it. How about deleting Facebook friends of any of your friend. Of course, you can do it exploiting Facebook’s CSRF vulnerability. Facebook does not enforce the CSRF protection token “post_form_id”. When the post_form_id is deleted entirely from some of the requests, Facebook executes the requests as if it wasn’t even required in the first place. We gotta hack this for our purpose.

Facebook claims to have fixed this bug. Well, still there’s a CSRF vulnerability to exploit that allows you to penetrate to the request used to delete a friend.

This will require you to omit the “post_form_id”, as well as a few other parameters. I noticed that Facebook will still carry out the deletion of the friend whose id was specified in the request. It allows you to seamlessly deletes specified friends from the currently logged in Facebook user by taking the user to visit a specially crafted web page.
Here is a video demo that shows how users can take advantage of the vulnerability to seamlessly update a user’s Facebook profile information.

Facebook still carry out the deletion of the friend whose id was specified in the request. It allows an attacker to seamlessly delete specified friends from the currently logged in Facebook user by getting the user to visit a specially crafted web page.

Now you might ask, is it possible to delete all the friends of the currently logged in Facebook user at once, by forcing them to visit a malicious web page. Most users in Facebook friend lists are public. You need to look for their profile ids. It is possible but requires authorization. Authorization is also required for the new API calls. We decided to do a raw HTML scrape of their friends list. You need to parse out the id from each friend on the target’s friends list. Now execute the user deletion request for the id of each of the victim’s friends.

Here’s a video demo that shows how you can exploit this flaw to seamlessly update a user’s Facebook profile information.

The article is intended to merely demostrate a major Facebook flaw which should be plugged by Facebook asap.

Discussion
June 3, 2010: 2:52 am

Howdy,

Facebook is center around friends that you can contact at will and discuss situations. My experience with it is that its no differ than any other social

marketing concept…find friends.. and request more friends.

I wrote a article on my blog about the friend gathering process that most people use to gain more friends on facebook. I must say that blog got a lot of

attention by thousands of curious people who wanted to know how they can gain more friends fro face book without the spamming.

It was my goal to show people that it doesn’t matter if you got 100 facebook friends or the limit of 5,000…if no one knows who you really are, than doing

friend request is just a waste of time.

You must concentrate on branding yourself before doing face book friend invites.

Thanks for letting me post my crazy thoughts..

TrafficColeman ‘Signing Off”

YOUR VIEW POINT
NAME : (REQUIRED)
MAIL : (REQUIRED)
will not be displayed
WEBSITE : (OPTIONAL)
YOUR
COMMENT :