In this post, I'm going to discuss a possible attack scenario, targeting the Facebook web application, that could lead to the reset of account passwords in anfashion exploiting a UI Redressing issue with the use of a cross-domain extraction technique.During my research, I discovered a Facebook's web resource that is not protected by the X-Frame-Options and that includes thetoken, which is adopted as an anti-CSRF token (Figure 1). The following is the affected URL:

Figure 2 - Users can add their mobile number via the "add your phone number here" link.

Figure 3 - Facebook's form used to add a mobile number.

Figure 4 - A confirmation code is sent to the user's mobile and must be entered to complete the process.

The exploit

Figure 5 - SMS with the Facebook's confirmation code that has been forwarded to the attacker's mail box.

Figure 6 - Facebook confirmation code forwarded to the attacker's mailbox.

Facebook allows users to add a mobile number that, once certified, can be adopted as username in order to login or reset the account's password. Users can insert their mobile numbers via theoptions (Figure 2 and Figure 3): a confirmation code is therefore sent by Facebook's system to the user's mobile phone and it must be inserted (Figure 4) to complete the activation process.The main issue here is that nois required to associate the mobile number to the user's profile. Because of this, an attacker may abuse the described UI Redressing vulnerability to steal thetoken and register an arbitrary phone number. Despite this, the attacker still needs to insert the confirmation code in order to associate his mobile number. A bit of black magic helps here: the attacker can abuse anmobile application toforward the Facebook text-message (SMS) to an attacker-controlled mail box, thus allowing an hypothetical exploit to fetch the code and complete the insertion process.A working Proof of Concept exploit has been developed in order to demonstrate the described attack. We have also shared the code with the Facebook security team. During my experiments, the Android application SMS2Mail has been adopted to forward the Facebook SMS (Figure 5) to the mail box (Figure 6).The following steps summarize the exploitation phases: