Please send me Your Facebook Anti-CSRF Token!
In the last few months we have seen a variety of spam campaigns propagating on social networking websites. Most of these attacks use some flavor of social engineering tactics. Every now and then, we see some innovative social engineering techniques used by attackers. Here is one such technique that tricks the victim into revealing their all-important Facebook Anti-CSRF token.
Cross-site Request Forgery attacks
A Cross-site Request Forgery (CSRF) is a type of attack in which attackers can re-use an already authenticated session to a website to perform unwanted actions on that website without the user’s knowledge or consent. For example, let’s say that a user is logged into his or her banking website. If this bank’s website suffers from a CSRF weakness, then another malicious website (say, bad.com) can instruct the user’s browser to navigate to the bank’s webpage to perform actions, such as transferring funds, without the user’s knowledge. For the browser and the bank’s website, it is equivalent to the user opening another tab and performing these actions themselves. Anti-CSRF tokens are one of the many ways employed by websites to prevent CSRF attacks.
Anti-CSRF tokens are usually one-time randomly generated tokens generated by the website. These tokens are submitted as hidden input parameters in Web forms. The tokens are validated at the back-end of the website to rule out any CSRF attacks underway when a form or action is posted. In order to generate a CSRF token, the attackers need to know or guess the Anti-CSRF token, which makes CSRF attacks hard to execute.
This blog details techniques used by the attacker to get access to this Anti-CSRF token. There are three stages to this attack
Stage 1 – Falling for the scam
It starts with an enticing message, like the one below, appearing in the user’s newsfeed from the user’s friend.
Stage 2 – Tricking the user to send their FaceBook Anti-CSRF token
Upon clicking this link, the user is directed to a fake YouTube Web page as shown below. In order to view the video, the user is prompted to verify their identity.
Step 1 of this verification process involves generating a verification code by clicking the Generate Code link. The next and final step is Copying and-pasting the code obtained in step 1 into the verification text box and clicking the Confirm button.
The attacker is tricking the victim into revealing his or her Facebook Anti-CSRF token.
Stage 3 – CSRF attack: Malicious links silently posted to the user’s wall
The thing to note here is that the “post_form_id” value is irrelevant for the success of this attack. In fact, the attacker decided to randomly generate a “post_form_id” value in the code above.
Comparison to self-XSS copy and paste attacks
This attack technique is similar in nature to the Self XSS copy and paste attacks that we saw on the Facebook platform this summer.
Although by and large we haven’t seen attackers propagate malicious browser exploits and drive-by-downloads using these spam campaigns, we conjecture that attackers might naturally gravitate towards this in the near future. Furthermore, attackers are using some really innovative social engineering techniques to trick their victims. We advise users to keep their security software up-to-date and not click on any links that seem suspicious.
It's worth noting that we’ve reached out to Facebook and they inform us that they've had great cooperation from browser vendors to fix these issues and will continue to work with them on these issues. They also stated that they try to prevent this behavior by automated monitoring of accounts for suspicious behavior.