A CSRF vulnerability in Facebook's Instagram Business Tools allowed attackers to execute arbitrary GraphQL mutations by crafting malicious URLs that leveraged the victim's authenticated access token, enabling unauthorized actions like creating posts with malicious content. The vulnerability exploited improper parameter handling in the /business/:id endpoint where user-controlled IDs were sent to the Graph API without proper CSRF protections.
A CSRF vulnerability was discovered in a web application's address deletion feature that lacked CSRF token protection, compounded by a predictable numeric addressId parameter that could be brute-forced via JavaScript to delete arbitrary user addresses. The researcher developed a proof-of-concept that sends hundreds of requests with sequential addressId values from a victim's browser to identify and delete their saved addresses.
Site-wide CSRF vulnerability discovered on Messenger.com where CSRF token (fb_dtsg) validation was completely missing on multiple endpoints, allowing attackers to perform unauthorized actions like changing settings and removing users from group threads. The vulnerability affected all POST requests regardless of whether the token was modified, removed, or omitted entirely.