SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
2 Sep 2015

Facebook vulnerability allows hackers to hack any pages

Facebook bounty hunter Laxman Muthiyah from India has recently discovered his third bug of this year in the social network website that just made a new record by touching 1 Billion users in a single day.

At the beginning of the year, Laxman discovered a serious flaw in Facebook graphs that allowed him to view or probably delete others photo album on Facebook, even without having authentication.

Just after a month, Laxman uncovered another critical vulnerability in the social network platform that resided in the Facebook Photo Sync feature, that automatically uploads photos from your mobile device to a private Facebook album, which isn’t visible to any of your Facebook friends or other Facebook users. However, the flaw discovered by Laxman could allowed any third-party app to access and steal your personal photographs from the hidden Facebook Photo Sync album.

Hacking Any Facebook Page

Now, the latest bug in Laxman's list could allow attackers to take over control of your Facebook pages. This time Laxman has found an issue with the "Facebook business pages" that are not specific to a single user account, but instead represent a business and are usually managed by a number of users. However, Laxman could allow third-party apps to take complete control of a Facebook business page with limited permissions, possibly making the victim permanently lose administrator access to the page.

Here's How:

Third party Facebook applications are capable of performing all sets of operations, including post status on your behalf, publishing photos, and other tasks, but Facebook doesn't allow them to add or modify page admin roles. Facebook allows a page administrator to assign different roles to different people in the organisation through manage_pages, a special access permission requested by third-party apps. However, according to Laxman, an attacker can use a simple string of requests in an attempt to make himself as admin of the particular Facebook page.

Sample Request

The string something look like this:

    POST /PGID/userpermissions HTTP/1.1
    Host: graph.facebook.com
    Content-Length: 245
    role=MANAGER&user=X&business=B&access_token=AAAA…

Here, page PGID belongs to business B, where one can manage_pages request to make user 'X' as a MANAGER (assign as an administrator) of the page. This means these small changes in the request parameters could allow an attacker to gain complete control over your Facebook page.

Video Demonstration

Laxman has also provided a video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:

Laxman reported the flaw to the Facebook security team and received the reward of $2500 USD as a part of Facebook's bug bounty program. Though the social network has now fixed the loophole, you must always be aware of the permissions you grant to any third-party applications.

Tags:
Facebook information leaks
Source:
The Hackers News
1844
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015