This year, at Enigma 2017 Conference, Facebook introduced a way to move Account Recovery beyond Email and the "Secret" Question.
After the presentation the moved operationally and presented the first integration partner : Github.
These days I have seen a lot of press around this and both Facebook and Github open sourced their implementation and specification (also presented at F8).
Well it turned out that Facebook side was susceptible to Cross Site Request Forgery.
Really simple explanation:
- The attacker start the integration with Github and stop the flow at the right moment.
- The create an attacker page as https://github.com/asanso/asanso.github.io/blob/master/facebook/test_fb.html
Then is enough for the victim to visit asanso.github.io/facebook/test_fb.html and will have a new Github Token of the attack under https://www.facebook.com/settings?tab=security§ion=delegated_account_recovery&view.
You might said: nice but whats the threat here?
Indeed is exactly what Facebook replied. Despite it they fixed the issue adding an additional confirmation page.
For the record the threat here is a Login CSRF to a Github account that is kind of
That's all folks. For more Meh follow me on Twitter.