Hacking Any Facebook Page - Latest Bug in Laxman's List
Facebook bounty hunter Laxman Muthiyah from India has recently discovered his third bug of this year in the widely popular social network website that just made a new record by touching 1 Billion users in a single day.
Now, the latest bug in Laxman's list could allow attackers to take over control of your Facebook pages.
This time Laxman has found an issue with the "Facebook business pages" that are not specific to a single user account, but instead represent a business and are usually managed by a number of users.
However, Laxman could allow third-party apps to take complete control of a Facebook business page with limited permissions, possibly making the victim permanently lose administrator access to the page.
Laxman reported the flaw to the Facebook security team and received the reward of $2500 USD as a part of Facebook's bug bounty program.
Status : Fixed
Facebook allows a page administrator to assign different roles to different people in the organisation through manage_pages, a special access permission requested by third-party apps.
However, according to Laxman, an attacker can use a simple string of requests in an attempt to make himself as admin of the particular Facebook page.
Sample Request
The string something look like this:
Here, page PGID belongs to business B, where one can manage_pages request to make user 'X' as a MANAGER (assign as an administrator) of the page.
This means these small changes in the request parameters could allow an attacker to gain complete control over your Facebook page.
Video Demonstration
Laxman has also provided a video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:
Now, the latest bug in Laxman's list could allow attackers to take over control of your Facebook pages.
This time Laxman has found an issue with the "Facebook business pages" that are not specific to a single user account, but instead represent a business and are usually managed by a number of users.
However, Laxman could allow third-party apps to take complete control of a Facebook business page with limited permissions, possibly making the victim permanently lose administrator access to the page.
Laxman reported the flaw to the Facebook security team and received the reward of $2500 USD as a part of Facebook's bug bounty program.
Status : Fixed
Here's How:
Third party Facebook applications are capable of performing all sets of operations, including post status on your behalf, publishing photos, and other tasks, but Facebook doesn't allow them to add or modify page admin roles.
Facebook allows a page administrator to assign different roles to different people in the organisation through manage_pages, a special access permission requested by third-party apps.
However, according to Laxman, an attacker can use a simple string of requests in an attempt to make himself as admin of the particular Facebook page.
Sample Request
The string something look like this:
POST /PGID/userpermissions HTTP/1.1
Host: graph.facebook.com
Content-Length: 245
role=MANAGER&user=X&business=B&access_token=AAAA…
Here, page PGID belongs to business B, where one can manage_pages request to make user 'X' as a MANAGER (assign as an administrator) of the page.
This means these small changes in the request parameters could allow an attacker to gain complete control over your Facebook page.
Video Demonstration
Laxman has also provided a video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:
Hacking Facebook Pages
Another Serious Vulnerability in FacebookVulnerability : Hacking Facebook PagesStatus : FixedReward $2500 USDProof Of Concept : http://www.7xter.com/2015/08/hacking-facebook-pages.html
Posted by 7xter on Wednesday, 26 August 2015
No comments
Post a Comment