# Exploit Title: Facebook Delete Friends CSRF
# Date: 5/21/10
# Author: Steven Abbagnaro
# Website: http://prominentsecurity.com
# Code:

===============================================
[+] Facebook Delete Friends CSRF
[+] Author: Steven Abbagnaro
[+] Site: http://ProminentSecurity.com
[+] Contact: Steve@ProminentSecurity.com
===============================================

[+] Description

Facebook fails to enforce the CSRF protection token "post_form_id" from
their delete friend request. By simply omitting the "post_form_id" from the
request, facebook will still execute the request, and delete the specified
friend whose id is specified in the request.

[+] Explanation

Request: http://m.facebook.com/removefriend.php?friend_id=[FRIEND_ID]
Get Args: friend_id=[FRIEND_ID]
Post Args: confirm=Confirm

By replacing FRIEND_ID with the id of a friend of the currently logged in
user, an attacker can craft a webpage to auto-submit a form with javascript
which sends out the specified request to facebook, deleting that friend.

By default, your facebook friend list is public. That means that this
process can be automated to scrape the id's of each friend on the victims
friend list, and carry out the delete request.