Facebook page– An Indian researcher discovered a critical vulnerability in the Facebook business manager that could be exploited to hack any Page.
The Indian security researcher Arun Sureshkumar reported a critical vulnerability in the Facebook business manager that could be exploited by attackers to hack any Facebook page.
The Business Manager is the component that allows businesses to share and control access to assets on Facebook, including Pages and Ad accounts.
Facebook Business Manager also allows administrators to share access to Pages and ad accounts without being friends with coworkers on Facebook.
Before analyze the technique devised by the researcher let me introduce you the concept of Insecure Direct Object Reference.
According to the definition provided by the OWASP project,the Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, an attacker can bypass authorization and access resources in the system directly.
“Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object.
Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.” reads the OWASP.
Sureshkumar exploited an IDOR vulnerability in the Facebook Business Manager that allowed him to take over any Facebook page in less than 10 seconds.
Sureshkumar used his Facebook business account (ID =907970555981524) to add a partner. He used as a partner a test account with ID 991079870975788.
The hacker used Burp Suite to capture the request using Burp Suite, the tool allowed him to modify the request.
The hacker used Burp Suite to capture the request using Burp Suite,the tool allowed him to modify the request.
What about Facebook page hacking
He changed the ‘asset id’ value with the one of the target page to hack, and also interchanged the ‘parent_business_id’ value with ‘agency_id’. He also changed the role value to ‘MANAGER’.
parent_business_id= 991079870975788
agency_id= 907970555981524
asset_id =190313461381022
role= MANAGER
With this simple trick, Sureshkumar demonstrated that hacking Facebook Pages was possible. He obtained admin rights on the business page.
Sureshkumar also published a video PoC of the attack.
The security expert reported the flaw to Facebook on August 29,2016. Facebook investigated the problem and discovered also another flaw in its platform.
The giant of the social networks awarded Sureshkumar with 16,000 USD as part of its bug bounty program.
Facebook page hacking softwares
Cost $100
Kindly message us via our contact section for immediate share of the Facebook hacking softwares its cheap and affordable.
If you don’t understand the above article don’t hesitate to ask questions via our contact section for clarification
Interesting