Introduction


FXAuth is Meta’s shared authentication system used across Facebook, Instagram, and Meta (Horizon / VR). It is used by Accounts Center for account linking, re-authentication, and sensitive action confirmation.

This write-up documents a redirect flaw in the FXAuth flow that allows the token to be exfiltrated and reused, enabling account linking and takeover in as little as two interactions.

Description

The FXAuth Redirect Model

The FXAuth flow endpoint for meta.com is:

https://auth.meta.com/fxauth/

This endpoint asks for user approval and redirects the browser back to the requestor website ( facebook.com/ instagram.com) with siged token and blob. It accepts multiple parameters, including base_uri:

Originally, base_uri accepted any arbitrary domain, making token exfiltration trivial. Meta fixed this by restricting the parameter to Meta-owned domains.

However, the fix relied on an incorrect assumption: that restricting the domain alone is sufficient if the attacker cannot directly control the redirect path.

Why the Fix Was Insufficient

While base_uri was restricted to Meta domains, not all Meta domains are safe.

Legacy surfaces still exist where attackers can execute JavaScript under controlled paths. One such surface is apps.facebook.com.

Developers can register applications with a namespace that becomes part of the URL:

https://apps.facebook.com/{app_namespace}

If the attacker owns an application (notably older ones), they regain the ability to read parameters from the URL despite not controlling the base path directly.

This effectively reintroduces the original vulnerability under a different trust boundary.

The Exploitable FXAuth Flow

A valid FXAuth request accepts:

  • app_id belonging to Facebook or Instagram
  • flow such as frlcomet or frlreauth
  • etoken generated earlier in an Accounts Center flow
  • next restricted to internal paths
  • base_uri restricted to Meta-owned domains

Example:

https://auth.meta.com/fxauth/
?app_id=2220391788200892
&etoken=ATTACKER_ETOKEN
&next=%2Fpersonal_info
&flow=frlcomet
&base_uri=https://apps.facebook.com

The etoken can be obtained by initiating a standard Accounts Center linking flow:

https://accountscenter.facebook.com/add/?auth_flow=frl_linking&background_page=%2F

Token Exfiltration

When the victim opens the crafted FXAuth URL and approves the request, the browser is redirected to:

https://apps.facebook.com/personal_info

The redirect includes sensitive parameters such as blob and token.

Because the attacker controls execution within their application namespace personal_info, both values can be trivially extracted. At this point, the attacker holds a valid FXAuth token bound to the victim account, he can finalize privileged flows without further user confirmation:

Account linking:

https://accountscenter.facebook.com/add/
?auth_flow=frl_linking
&background_page=%2F
&blob=BLOB
&token=TOKEN

Action re-authentication bypass:

https://accountscenter.facebook.com/profiles/VICTIM_PROFILE_ID/name/
?auth_flow=reauth
&blob=BLOB
&token=TOKEN

These flows normally require explicit confirmation. Possession of a valid FXAuth token bypasses that requirement entirely.

Impact


This vulnerability enables linking attacker-controlled accounts, bypassing Accounts Center confirmations, and achieving full account takeover with minimal interaction.

Timeline


Jun 27, 2023 — Bug reported

Jun 28, 2023 — Bug Acknowledged by Meta

Jun 29, 2023 — $32,500 bounty awarded by Meta

Dec 29, 2024 Bypass repoted

Apr 28, 2025 — $32,500 bounty awarded by Meta

Jan 15, 2026 — Bug fixed by Meta