Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Scheme Defeats Facebook’s Defense Against Cross-site Request Forgery Attacks (CSRF)

Researchers at Symantec have uncovered a way to fool Facebook users into defeating the social network’s defense against cross-site request forgery attacks.

Researchers at Symantec have uncovered a way to fool Facebook users into defeating the social network’s defense against cross-site request forgery attacks.

Known as CSRF for short, cross-site request forgery attacks are a type of attack where the attackers use an authenticated session on a Website to perform unauthorized actions on the site. Guarding against these attacks are Anti-CSRF tokens, which are typically random, unique tokens generated by the Website. In order to generate a CSRF token, the attackers have to figure out the Anti-CSRF token, which in turn makes the attacks harder to execute.

The scheme takes a bit of trickery on the part of the attacker. According to Symantec, the attack starts with a message inviting users to watch a video. From there, if users click on the link, they will be taken to a fake YouTube page where a window will pop up requiring the person to pass a “YouTube Security Verification” test. When the user clicks on the “Generate Code” link, a request is sent to This request will return JavaScript code the user will then be prompted to paste into the “Insert Verification Code” box.

FaceBook Anti-CSRF Token Attack

“So what is so special about this JavaScript Code? The answer is the Anti-CSRF token called ‘fb_dtsg’,” blogged Nishant Doshi, security analyst at Symantec. “In order to prevent CSRF attacks, Facebook pages have a unique per session token called “fb_dtsg”. The request to “” returns JavaScript code containing the “fb_dtsg” token… In this case the attacker’s third-party site receives this Anti-CSRF token when the user copy and pastes the JavaScript code and clicks Confirm. The attacker is now in a position to perform CSRF attacks.”

As a result of the CSRF attack, a malicious link is posted on the victim’s Facebook page using the stolen token, potentially further propagating the attack.

Facebook spokesperson Frederic Wolens told SecurityWeek that engineers have been working to deal with the problem of Anti-CSRF token hijacking by adding enforcement mechanisms to shutdown malicious pages and fake accounts. In addition, Facebook has also been working with browser vendors to “ensure their features are not being maliciously exploited.”

In addition to the CSRF attack, Facebook security was also put under the lens recently when security researcher Nathan Power discovered a way to upload executables to Facebook. Essentially, he uncovered a bug that enabled him to send a Facebook message with an attachment. Facebook downplayed the attack however, noting the Messages feature does not rely solely on string matching to detect potentially malicious files but also has antivirus protection scanning every message. Power’s attack, as demonstrated, would only allow one user to send an obfuscated renamed file to another user, but would not automatically execute on the recipient’s machine.

This means that just like with the Anti-CSRF token stealing scheme success for the attacker relies on social engineering.

“Educating users is one of the primary tools to combat social engineering attacks,” said Ben Greenbaum, senior research manager for Symantec Security Response. “Users should be taught what to watch out for and to avoid divulging any potentially sensitive information online.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...