Full Report
FXAuth is Meta's shared authentication system used by a variety of services that they own. On the domain https://auth.meta.com/fxauth/, a signed token and blob are returned for using the website. The base_uri contains where to redirect back to. Originally, base_uri had no restrictions on the value that was set. By exploiting this, it was possible to redirect to an arbitrary domain and extract the token. This made by an account takeover possible. The fix was to restrict it to Meta-owned domains, assuming that the path could not be controlled either. Legacy locations exist where attackers can execute arbitrary JavaScript under a controlled path at https://apps.facebook.com/{app_namespace}. If an attacker owns an application, they can read parameters from the URL even if they do not control the path directly. Once the user is redirected to the attacker's application, their JavaScript can exploit the token. Using this, it's possible to finalize sensitive flows, such as account linking, to get persistent access to the user's account. This led to two 32.5K payouts.
Analysis Summary
# Vulnerability: Arbitrary Domain Redirect in FXAuth Leading to Token Exfiltration and Account Takeover
## CVE Details
- CVE ID: Not explicitly assigned in the source material.
- CVSS Score: Not explicitly assigned in the source material.
- CWE: CWE-601: Open Redirect (Original flaw); Potentially CWE-776: Improper Restriction of Reference to Protected Resources (Secondary flaw via legacy paths).
## Affected Systems
- Products: Meta FXAuth authentication system (used by Facebook, Instagram, Meta/Horizon services).
- Versions: Unspecified, covers a period before the final fix in January 2026.
- Configurations: Any configuration utilizing the `base_uri` parameter in the FXAuth flow without restricting redirect targets to fully sanitized/trusted endpoints, and older, vulnerable `apps.facebook.com/{app_namespace}` legacy paths.
## Vulnerability Description
The FXAuth endpoint (`https://auth.meta.com/fxauth/`) was initially vulnerable to Open Redirect via the `base_uri` parameter, allowing token exfiltration to any domain. This was partially fixed by restricting `base_uri` to Meta-owned domains.
However, the fix was insufficient because legacy application hosting surfaces, specifically `https://apps.facebook.com/{app_namespace}`, remained vulnerable. If an attacker owned an application namespace, they could manipulate the FXAuth redirect to point to their controlled path within `apps.facebook.com`. Since the attacker controlled the JavaScript execution context on that path, they could read the sensitive `token` and `blob` parameters returned in the URL upon redirection, leading to token exfiltration.
## Exploitation
- Status: Potentially exploited in the wild or repeatedly discovered (indicated by two separate $32.5K payouts across different timelines).
- Complexity: Low (Initial flaw) to Medium (Requires owning a legacy application namespace for the secondary flaw).
- Attack Vector: Network (Requires user interaction via a crafted link).
## Impact
- Confidentiality: High (Sensitive authentication token exfiltrated).
- Integrity: High (Token used to finalize sensitive flows like account linking or re-authentication).
- Availability: Medium (Temporary loss of control until victim logs out or resets credentials).
## Remediation
### Patches
- **Primary Fix:** Restricting the `base_uri` parameter exclusively to verified, safe Meta domains.
- **Secondary Fix (Addressing Bypass):** Sanitizing or disabling the redirect capability to vulnerable legacy paths on `apps.facebook.com/{app_namespace}` or ensuring parameters cannot be read there. (Fix implied to be completed around Jan 15, 2026).
### Workarounds
- No specific vendor-provided workarounds were detailed, but temporary user mitigations would involve avoiding suspicious links and monitoring for unauthorized account changes (like unauthorized account linking).
## Detection
- **Indicators of Compromise:** Session creation or account linking activity originating from flows that appear to have bypassed explicit re-authentication prompts.
- **Detection methods and tools:** Monitoring logs for redirects from `auth.meta.com/fxauth/` to unexpected subdomains or paths within `apps.facebook.com` that include an unrecognized `token` or `blob` in the URL query string or path fragments. Analyzing traffic for tokens being immediately used in subsequent sensitive API calls.
## References
- Vendor Advisories: Not explicitly cited, but derived from researcher disclosure timelines.
- Relevant links - defanged: hxxps://ysamm[.]com/