Security researcher discovers a Zero-day in Facebook that allows him to take over any FB Page
Facebook is fast becoming a superlative medium for small and medium businesses to promote their products to a wider customer base. The gist of Facebook is the main Facebook Page which allows brands, businesses, organisations and public figures to list their products/services and reach out to their target audience. Anyone with an account can create a Page and reach out to their prospective buyers who will like the Facebook Page if it interests them. Following the page gets automatic updates on his/her News Feed.
An Indian security researcher has discovered a zero-day in the Facebook Page which allowed him to hijack any FB Page belonging to any organisation. Arun Sureshkumar discovered a zero-day in how the Facebook handles requests for its business accounts. Arun has described his bug discovery on his Blogspot where he says he can take over Facebook Page belonging to anybody like President Obama, Prime Minister Modi etc.
Facebook Business Manager lets businesses more securely share and control access to their ad accounts, Pages, and other assets on Facebook. Anyone in a business can see all of the Pages and ad accounts they work on in one place, without sharing login information or being connected to their coworkers on Facebook.
Arun found that he could deceive Facebook into allowing to access any Facebook Page through its Business Manager zero-day using Insecure Direct Object References vulnerability. Here is a video Arun’s Facebook hack PoC :
Arun informed Facebook about the vulnerability and the FB Security Team acknowledged that the zero-day is highly critical. Facebook temporarily patched the flaw by removing the end-point and then issued an update to completely patch the zero-day in a week. Arun was paid $16,000 for his bug discovery.