A security researcher found a significant cross-site request forgery (CSRF) vulnerability in popular social media that could have allowed to bypass a facebook account password to simply send a link to the targeted users.
Also, this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL. source
Security Researcher “Samm0uda” found the vulnerability behind he detected a vulnerability endpoint “https://www.facebook.com/comet/dialog_DONOTUSE/?url=GLOBALHACKNEWS” where GLOBALHACKNEWS is the endpoint with parameters where the POST request is going to be made to bypass CSRF protections and takeover victim’s account then hacker change or delete their profile picture, and even trick users into deleting their entire accounts.
“Samm0uda” informed the vulnerability with the details of his exploit to on 26 January 2019. The social media fixed the issue it on 31 January 2019, rewarding the researcher with $25,000 Bounty Awarded by Facebook
Bypass Password Facebook Account Completely Take Over Facebook Accounts
To take over the full account access of the victims account attacker add a new email address or phone number to the victim account. as victims need to enter their password before the account is deleted. the researcher says that it will need to add two different URLs to see, an email or phone number and one to ensure it.
Researcher says. It’s “because the ‘normal’ endpoints used to add emails or phone numbers don’t have a ‘next’ parameter to redirect the user after a successful request”
Hacker adds a new controlled email address to their account, acknowledging the attacker to take over Facebook accounts by just resetting their passwords and securing the reliable users out of their accounts.
The researcher said the complete cross-site request forgery would have allowed any malicious user to hijack your Facebook account “in the blink of an eye.”