This is around an Insecure direct object reference vulnerability in Facebook Business Manager using which an attacker can takeover the Facebook pages in less than 10 Seconds .
Pages are for brands, businesses, organisations and public figures to create a presence on Facebook, whereas profiles represent individual people. Anyone with an account can create a Page or help manage one, if they’ve been given a role on the Page like admin or editor. People who like a Page and their friends can get updates in News Feed.With a Facebook Page, you can easily show customers what you’re all about.
Keep new and existing customers engaged by:
- Listing details – such as opening hours and contact info
- Adding big, beautiful photos and images
- Posting updates to let people know the latest about your business
Business Manager lets businesses more securely share and control access to their ad accounts, Pages, and other assets on Facebook. Anyone in a business can see all of the Pages and ad accounts they work on in one place, without sharing login information or being connected to their coworkers on Facebook. When you sign into Business Manager, we’ll show you a quick overview of the ad accounts and Pages that you work on. If you’re the admin for your business, go to Business Settings to add new people, Pages, ad accounts and other assets to your business.
Business Manager is a new, more secure tool for managing access to Pages and ad accounts, geared towards companies who need to give different permissions to lots of people.
Business Manager lets you:
- Manage access to Pages and ad accounts: Clearly see who has access to your Pages and ad accounts and remove or change their permissions.
- Keep your work separate: Get access to Pages and ad accounts without being friends with your coworkers on Facebook. Learn more about what your coworkers can see about you.
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.
Reference: Insecure Direct Object References
Reproduction Instructions / Proof of Concept:
Here i will show you the security vulnerability which can Takeover any Facebook page.
1. Facebook Business Account (2 no’s).
One as own business and other can be any test account business.
Here i use my account business id as : 907970555981524
And another one , any partner id so i will choose it from my test account. 991079870975788
2. Add a partner using my own business and just intercept the request.
Now you can see the Vulnerable Request :
POST /business_share/asset_to_agency/?dpr=2 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept-Encoding: gzip, deflate, br
Cookie: rc=2; datr=AWE3V–DUGNTOAy0wTGmpAXb; locale=en_GB; sb=BWE3V1vCnlxJF87yY9a8WWjP; pl=n; lu=gh2GPBnmZY1B1j_7J0Zi3nAA; c_user=100000771680694; xs=25%3A5C6rNSCaCX92MA%3A2%3A1472402327%3A4837; fr=05UM8RW0tTkDVgbSW.AWUB4pn0DvP1fQoqywWeORlj_LE.BXN2EF.IL.FfD.0.0.BXxBSo.AWXdKm2I; csm=2; s=Aa50vjfSfyFHHmC1.BXwxOY; _ga=GA1.2.1773948073.1464668667; p=-2; presence=EDvF3EtimeF1472469215EuserFA21B00771680694A2EstateFDutF1472469215051CEchFDp_5f1B00771680694F7CC; act=1472469233458%2F6
3. Change asset id to the page you want to hack. and also interchange the parent_business_id with agency_id.
4. Resend the request.
Request send successfully. Page added to the Facebook Business Manager of the attacker with permission role Manager.
5. Assigned me as the admin of the page , which was added by the exploit.
6. Browse the page using the Facebook Business Manager and do desire amount of things!.
All timestamps are in India Standard Time. I omitted a few unimportant interactions.
- 29 August 2016 at 00:08 : Initial report
- 30 August 2016 at 06:52 : Bug acknowledged by security team member Nancy
- 30 August 2016 at 12:29 : Security team member Neal Poole informed me that “Issue should be addressed (we’ve taken down the endpoint temporarily and are going to be removing it entirely)”.
- 6 September 2016 at 21:30 : I replied confirming that the bug was patched.
- 6 September 2016 at 23:04 :Security team member William informed me that “We have looked into this issue and believe that the vulnerability has been patched. Please follow up with us if you believe that the patch does not resolve this issue.”
- 6 September 2016 at 23:04 : I replied Permanent fix patched the bug.
- 16 September 2016 at 01:24 : Security team member Rusty informed me that “I wanted to reach out and inform you that we have decided to pay you a bounty of 16,000 dollars for this report. A majority of the bounty is for the page takeover capability of your exploit, but while investigating your report we discovered and fixed another issue as well, so the bounty is a little higher because of that. You can expect the standard longer payout message later in the week.”
- 16 September 2016 at 02:32 : Bounty of $16,000 awarded.