Friday, 1 June 2012

Facebook Logout, CSRF and OAuth 2

According to http://developers.facebook.com/docs/authentication/ in order to programmatically log the user out of Facebook from an OAuth 2 client (single sign-off) is enough to redirect the user to

https://www.facebook.com/logout.php?
    next=YOUR_REDIRECT_URL
   &access_token=USER_ACCESS_TOKEN

This would require a valid access token and a valid redirect url.
Alternatively this can be achieved client side by calling FB.logout() .
In practice though there is a third (obviously not documented) unofficial way to achieve the same.
It is the case indeed that the standard log out form of Facebook suffer from CSRF.
Indeed while posting to http://www.facebook.com/logout.php the related form uses a field,  fb_dtsg, that is supposed to be an anti-CSRF token, however it is not verified properly/at all. Removing this field still resulted in successful logout!

According to Facebook (I have been in touch with them about this) this is not a security issue though (primarily because the lack of same-origin enforcement on setting and clearing cookies).

Here some collected thoughts from the Google security team about this topic : http://www.google.com/about/corporate/company/rewardprogram.html#logout-forgery
 https://sites.google.com/site/bughunteruniversity/nonvuln/logout-xsrf

No comments: