Monday, October 4, 2010

Facebook CSRF and XSS vulnerabilities

Facebook comes with an anti-CSRF system based on two tokens, respectively called post_form_id and fb_dtsg. These tokens change frequently, and are certainly built upon several parameters including time of day, time of account creation, user id, and many others. Determining the values of these tokens for a specific user is, to our view, impossible.

Fortunately, Facebook provides a functionality called “profile preview”, allowing users to see how their own profile appears to any other user. It can be accessed using the URL

More Details:

No comments: