3 min read

How any Facebook page could have been hijacked or deleted... in just 10 seconds

Graham CLULEY

September 20, 2016

How any Facebook page could have been hijacked or deleted... in just 10 seconds

Can you imagine just how much online criminals would pay to be able to hijack, and even delete, any page on Facebook?

Facebook pages are used by organisations, businesses and high profile figures like FC Barcelona (94 million fans), Vin Diesel (100 million fans), and Shakira (104 million fans) to promote their brands and are an essential part of their marketing.

Hey, even Bitdefender has a thriving Facebook page, where we keep over one million fans (and counting!) up-to-date on the latest security threats and share advice on how to keep your computer safe online.

For a celebrity or well-known brand to lose control of its Facebook page could be catastrophic, eroding the trust of fans and – potentially – spreading malicious links or hate speech.

It’s easy to picture how a hacker could demonstrate their power to break into a particular Facebook page, and then attempt to extort money from the page’s legitimate owner by making threats of doing it again in a more malicious way next time.

My guess is that if someone were able to devise a way of hacking any page on Facebook, that criminal gangs would be prepared to pay a pretty penny for the method.

Chances are that a hacking gang would pay more than the $16,000 Facebook has just paid a security researcher who uncovered a method to takeover any Facebook page in less than 10 seconds.

Arun Sureshkumar responsibly disclosed the vulnerability to Facebook’s security team at the end of August, and will share further details of the flaw at the 0SecCon being held in India later this month.

As Sureshkumar demonstrates in a proof-of-concept YouTube video he made of the exploit, an insecure direct object reference vulnerability allowed him to bypass authorisation checks in Facebook Business Manager – the free feature which allows multiple members of a team to share access to a Facebook page without having to share login details.

The video – best viewed in full screen mode – sees Sureshkumar change a business ID number in a web request to that of the ID number of the page he wants to hack, granting him the required rights to surreptitiously add himself as a manager of the targeted Facebook page.

Clearly Facebook should have done a better job at checking whether the request was authorised, rather than just saying “Oh, I’ll trust that parameter I’ve been passed as genuine”.

In his blog post, Sureshkumar explains that he could have taken over the pages of famous figures such as Bill Gates and Barack Obama, and performed critical actions such as page deletion.

For its part, Facebook’s security team appears to have patched the vulnerability rapidly – and decided to reward Sureshkumar through its bug bounty program:

“I wanted to reach out and inform you that we have decided to pay you a bounty of 16,000 dollars for this report. A majority of the bounty is for the page takeover capability of your exploit, but while investigating your report we discovered and fixed another issue as well, so the bounty is a little higher because of that. You can expect the standard longer payout message later in the week.”

fb-bounty

Well done to Facebook for fixing the problem, Sureshkumar for finding it in the first place and for his responsible disclosure.

But I can’t help but feel that this vulnerability would have been worth much more than $16,000 on the criminal underground – and that Facebook might want to assess its bounty rewards in future to ensure that vulnerability researchers are properly rewarded, and not tempted by the dark side…

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

FBI Warns that Tokyo 2020 Summer Olympics Is Prime Target for Cyberattacks FBI Warns that Tokyo 2020 Summer Olympics Is Prime Target for Cyberattacks
Silviu STAHIE

July 27, 2021

1 min read
Patch your iPhones and Macs against "actively exploited" zero-day right now Patch your iPhones and Macs against "actively exploited" zero-day right now
Graham CLULEY

July 27, 2021

2 min read
Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read