Table Of Contents
Facebook vulnerability allows hackers to take admin control of the business pages on Facebook
Security researcher Laxman Muthiya has found a serious vulnerability in the way Facebook business manager allows third party access. This vulnerability can be exploited by hackers to gain limited permissions and the victim will permanently lose admin access to the page.
Detailing his findings on his blog, Laxman has stated that if the vulnerability is exploited, the hacker can take over admin privileges of a Facebook page and remove the victim.
By default Facebook application interface do not allow third party applications to add or modify page admin roles (page roles like manager, editor, analyst etc..). Third party applications are allowed to perform all the operations like post statuses on your behalf, publish photos, etc.. except adding admin roles because if an application is allowed to add or remove admins then it could add some user as admin to the page and remove the actual owner permanently.
However business pages on Facebook operate on different theory. There is an endpoint for business pages called userpermissions which allows to add or remove page admin roles who are already handling the Facebook business. Muthiya found out that there is a vulnerability in this endpoint which can be exploited to take over the business page of the victim and remove him/her from admin control.
Laxman found that he could make a manage_pages request to to this endpoint tool using following request
POST /PGID/userpermissions HTTP/1.1 Host: graph.facebook.com Content-Length: 245 role=MANAGER&user=X&business=B&access_token=AAAA...
Page Takeover :
Request :-POST /<page_id>/userpermissions HTTP/1.1Host : graph.facebook.comContent-Length: 245role=MANAGER&user=<target_user_id>&access_token=<application_access_token>Response :-true
Request :-Delete /<page_id>/userpermissions HTTP/1.1Host : graph.facebook.comContent-Length: 245user=<target_user_id>&access_token=<application_access_token>Response :-trueThats all! Target page is hacked!
Muthiya contacted the Facebook security team about the vulnerability. Facebook confirmed the vulnerability and awarded him a bug bounty of $2500.00. The vulnerability has been patched by Facebook.