What is CSRF Vulnerability ?
CSRF (Cross Site Request Forgery) is a sneaky attack where a hacker fools you into doing something on a website that you didn’t mean to do. Let’s say you’re logged into your bank account and you receive an email from what appears to be your bank with a link to click. When you click that link, you’re actually taken to a page controlled by the hacker. Even though you’re logged into your bank account, you’re also unknowingly doing something on the hacker’s page. Since your browser sends all the necessary info to the website automatically, the hacker can use that info to do things like transfer money or change your password, all without your knowledge or permission.
Instagram, the popular social media platform owned by Facebook, has been hit by a security vulnerability that allowed an attacker to change the comment keyword filter on behalf of other users. The vulnerability was caused by a Cross-Site Request Forgery (CSRF) weakness, which the attacker Mohamed Laajimi was able to exploit.
According to the details provided, the vulnerability was discovered by the researcher who opened the URL https://www.instagram.com/accounts/comment_filter/ and added any keyword.
By intercepting the request, the attacker found an interesting header called X-CSRFTOKEN, which is used to verify if the request is coming from the account owner. And by deleting this header, the attacker still was able to send a successful request without any check of the CSRF token.
The attacker then wrote an exploit code to take advantage of the vulnerability in the form of an HTML page that included a form that submitted a request to the vulnerable endpoint.
The form had a hidden field with the value “test” and a submit button. The attacker also included an auto-submit script to automatically submit the form.
Facebook, the parent company of Instagram, was notified of the vulnerability on January 16th, 2021, and acknowledged the issue three days later. The vulnerability was fixed on February 22nd, 2021, and the attacker was awarded a bounty for their efforts.
However, the internal research by Facebook following the fix of the initial bug, identified other vulnerable endpoints, demonstrating the importance of continuous security assessments for protecting user data.
In conclusion, Instagram’s CSRF vulnerability could have had serious consequences, but it was quickly addressed by Facebook after the issue was reported. The social media giant has since taken additional steps to further secure their platform.
How to Prevent CSRF Vulnerability?
Here are some steps to prevent CSRF vulnerabilities:
- Implement CSRF tokens: One of the most effective ways to prevent CSRF is to use CSRF tokens. These tokens are generated by the server and embedded in the web page. When the user submits a form or clicks a button, the token is included in the request, and the server verifies it before performing the action.
- Use SameSite cookies: SameSite cookies can help prevent CSRF attacks by restricting the scope of cookies to the domain that set them. This prevents the cookie from being sent along with a cross-site request.
- Check Referer header: The Referer header indicates the page that made the request, and can be used to check that the request is coming from a page on the same site. However, this header can be spoofed, so it should not be relied on as the sole means of preventing CSRF attacks.
- Limit permissions: Limiting the permissions of authenticated users can reduce the impact of CSRF attacks. For example, a user with read-only access is less vulnerable than one who can make changes.
By following these steps, developers can help prevent CSRF vulnerabilities and protect their users from attacks.
Link to read full write up: here
Save the PDF here