Facebook Page Takeover In 10 Seconds?
Everyone wants to know how to hack a Facebook page or an account but no one wants to do the hard work — here’s an Indian hacker who found a critical security flow in Facebook business manager allowing him to hack any Facebook page within 10 seconds.
Arun Sureshkumar, an Indian IT security researcher exposed a critical vulnerability in Facebook business manager allowing attackers to take over any Facebook page – In return Facebook awarded Sureshkumar with 16,000 USD as part of the bug bounty program.
Arun Sureshkumar / Image Source: Facebook
The issue discovered by hacker revolves around Insecure Direct Object Reference, also called IDOR. It refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. In such cases, the attacker can manipulate those references to get access to unauthorized data. In Facebook’s case, IDOR vulnerability in Facebook Business Manager allowed him to take over any Facebook page in less than 10 seconds.
Business Manager actually lets businesses share and control access to their ad accounts, Pages, and other assets on Facebook. Anyone on a business page can see all of the Pages and ad accounts they work on in one place, without sharing login information or being connected to their coworkers on Facebook.
The researcher also mentioned that an attacker could even take over pages like Bill Gates, Narendra Modi , Barack Obama and do whatever kind of damage desired including deleting these pages.
Sureshkumar made two Facebook business accounts, one as his own and the other for testing purposes. He then added a partner using his own ID and intercepted the request using Burp Suite. After that, he changed the parent business ID with agency ID and asset ID with the page ID he wanted to hack. Once done with changing IDs, the researcher requested manager role on the page.
In few seconds, Sureshkumar had admin rights on the target page thus allowing him to perform the actions he wanted through the business manager.
Watch how Sureshkumar was able to hack a Facebook page in no time at all:
The security flaw was reported to Facebook on 29th August 2016 and lucky for Sureshkumar, while investigating his report; Facebook found and fixed another issue as well. That made the total bug bounty amount higher than those usually paid for page related flaws. As a consequence, he was paid 16,000 USD on the 16th of September this year.
More technical details are available on Arun SureshKumar’s blog.
All time-stamps are in India Standard Time. Omitted a few unimportant interactions.
- 29 August 2016 at 00:08 : Initial report
- 30 August 2016 at 06:52 : Bug acknowledged by security team member Nancy
- 30 August 2016 at 12:29 : Security team member Neal Poole informed me that “Issue should be addressed (we’ve taken down the endpoint temporarily and are going to be removing it entirely)”.
- 6 September 2016 at 21:30 : I replied confirming that the bug was patched.
- 6 September 2016 at 23:04 :Security team member William informed me that “We have looked into this issue and believe that the vulnerability has been patched. Please follow up with us if you believe that the patch does not resolve this issue.”
- 6 September 2016 at 23:04 : I replied Permanent fix patched the bug.
- 16 September 2016 at 01:24 : Security team member Rusty informed me that “I wanted to reach out and inform you that we have decided to pay you a bounty of 16,000 dollars for this report. A majority of the bounty is for the page takeover capability of your exploit, but while investigating your report we discovered and fixed another issue as well, so the bounty is a little higher because of that. You can expect the standard longer payout message later in the week.”
- 16 September 2016 at 02:32 : Bounty of $16,000 awarded.
This is a good legit way to benefit from hacking.