Serious Vulnerability Could Have Allowed Hackers to Hijack Any Facebook Page
A security researcher earned $16,000 from Facebook after discovering a serious vulnerability. If known, hackers could have exploited this flaw to hijack any Facebook page.
Facebook Pages are now used by every small and big organization, celebrities and even publications. Facebook's free tool known as Facebook Business Manager allows page owners to manage advert accounts, apps, pages, and people who work on these pages. Business Manager allows people to access their organization's Pages and ads without sharing login information.
Identified by Arun Sureshkumar, the flaw affected Facebook Business Manager. If exploited, anyone could have added any Facebook Page to their Facebook Business Manager account with Manager rights. They could have deleted the page, changed it, or shared whatever they wanted using the forum.
How hackers could have hijacked any Facebook Page
When you assign someone to your page using Business manager, Facebook asks you to specify the partner's business ID and their role. During this process, expert discovered that several parameters could have been manipulated thanks to an Insecure Direct Object Reference (IDOR) vulnerability.
To exploit this vulnerability, the attacker would intercept the HTTP request their browser sent to Facebook when assigning someone as a partner. Using IDOR vulnerability, an attacker could have then manipulated the parameters of the intercepted HTTP request. Replacing any page's ID into this intercepted HTTP request, hackers could have hijacked any Facebook page they'd have wanted.
Sureshkumar claims that hackers could hack into any page using this vulnerability, even the high-profile ones. The white hat hacker reported the vulnerability to social media giant on August 29. Facebook fixed it within 6 hours of being notified. The company paid him a higher amount of $16,000 in bug bounty because it discovered another issue while investigating IDOR flaw.
Following is the proof of concept video that he has shared. More technical details can be found in this blog post.