Facebook vulnerability allows hackers to take admin control of the business pages on FacebookPage Takeover :Removing VictimProof of concept video :
Detailing his findings on his blog, Laxman has stated that if the vulnerability is exploited, the hacker can take over admin privileges of a Facebook page and remove the victim. By default Facebook application interface do not allow third party applications to add or modify page admin roles (page roles like manager, editor, analyst etc..). Third party applications are allowed to perform all the operations like post statuses on your behalf, publish photos, etc.. except adding admin roles because if an application is allowed to add or remove admins then it could add some user as admin to the page and remove the actual owner permanently. However business pages on Facebook operate on different theory. There is an endpoint for business pages called userpermissions which allows to add or remove page admin roles who are already handling the Facebook business. Muthiya found out that there is a vulnerability in this endpoint which can be exploited to take over the business page of the victim and remove him/her from admin control. Laxman found that he could make a manage_pages request to to this endpoint tool using following request
Page Takeover :
Removing Victim
Muthiya contacted the Facebook security team about the vulnerability. Facebook confirmed the vulnerability and awarded him a bug bounty of $2500.00. The vulnerability has been patched by Facebook.
Proof of concept video :
Posted by 7xter on Wednesday, August 26, 2015
