Own Facebook fan page? BEWARE of this trick that could hijack your page

Security researcher Laxman Muthiyah, has recently discovered a new bug in ‘Facebook pages’ that allows attacker to hack and take control of any Facebook page that are managed by multiple users on role bases. Facebook has already fixed this bug and awarded the researcher with bounty.
Although the bug has been fixed already, you should be aware of this trick and protect your page from getting hacked in future. So lets start with how Laxman used this trick. To hack Facebook page, Laxman exploited a vulnerability found in Facebook business manager endpoint that allows 3rd party apps to hack any Facebook page with limited permissions and remove page admin roles of the the victim.
Many Facebook business page owners use 3rd party apps to post automated statuses, publish photos, get fake likes and get other insights. By default when the user uses 3rd party app for his business page, it is allowed to add or modify page admin roles (page roles like manager, editor, analyst etc..) But the vulnerability allows hackers to use rogue app that could add some user as admin to the page and remove the actual admin permanently.
Hacking Facebook fan page - latest trick
Following are the requests used by hacker in his app that would modify the page roles.
For Page Takeover (Request):
POST /<page_id>/userpermissions HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
role=MANAGER&user=<target_user_id>&access_token=<application_access_token>
For Removing Victim (Request):
Delete /<page_id>/userpermissions HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
user=<target_user_id>&access_token=<application_access_token>

How Facebook page hacking works?

  1. Hacker sets-up a rogue Facebook app that contains above requests.
  2. He then creates a website offering Facebook page service.
  3. After everything is set, he then lures Facebook page owners to get more like or reveal insights.
  4. The Page owner (victim) accesses hackers website and clicks Facebook login button that will trigger rogue app built by hacker and eventually giving control to his Facebook pages.
  5. Instead of getting promised like the victim looses his ownership to the pages.

Comments