How one man could have taken over any business on Facebook

The flaws in Facebook’s social network just keep coming. The latest one, luckily discovered and reported by a white hat researcher, enabled anyone on Facebook to make themselves (or anyone else) an administrator for any Facebook business account.

Facebook’s business accounts are designed to let the likes of businesses, charities and publications manage their presence on the social network. Admins can handle advertising, message followers, post updates on Facebook pages, and add and remove other people entitled to manage the business account.

Security researcher Philippe Harewood says on his blog that he discovered a way to import administrators to a business account via a call to the social network’s website that didn’t have any access control set on it. This made it possible to add anyone as an administrator to any business account, he claimed.

The attack could be executed by making a simple HTTP post to Facebook’s site that included the ID of the targeted business, the ID of the attacker’s account, and a session ID. In a demo video on the blog, he shows himself making an HTTP post to Facebook and then showing the new admin added in the Facebook Business Manager.

He said:

This could have let an attacker without an existing role, take over any business account and gain access to various business assets (Facebook pages, Ad accounts, applications, Instagram accounts) connected to the business.

Harewood says that he reported the vulnerability to Facebook on 9 October, and the company began investigating on the same day. It fixed it within six working days and then awarded him a $27,500 bounty.

He is one of 139 people that Facebook thanked on its bug bounty appreciation page for this year. Last year, the average reward per submission increased to almost $1,900, the company said, and it paid out a total of over $880,000 to researchers, bringing its total paid out to over $6.3 million.

Harewood isn’t the only researcher to have discovered a yawning hole in Facebook’s defences that could have allowed a single attacker to affect many of its records:

Delete any page. In 2016, Naked Security reported on a $16,000 bug bounty paid to a researcher who discovered how to delete any Facebook page. That attack allowed anyone to add any Facebook page to their Facebook Business Manager account with management rights, and then do whatever they wanted to with it, including changing its content or deleting it altogether. That researcher got paid a healthy $16,000 for discovering the flaw.

Delete any image. Last November, a researcher scooped a $10,000 bounty from Facebook after finding a way to exploit insecure direct object references, which allows a user to change the ID of an object they owned to reference someone else’s object and then manipulate it without authorization. In that case, the bug would have allowed him to delete any image in Facebook’s database.

Delete any video. Earlier that year, another researcher worked out how to delete any video on the social network without permission. That bug involved posting a video to a public event and then replacing that video’s ID in an HTTP post with the ID of the video that the attacker wanted to delete. Facebook would replace the video in the event post with the targeted one, which the attacker could then erase. That discovery also netted a $10,000 reward.

All of those were found by bug bounty hunters looking to do the right thing. The one that got away was the recently discovered flaw in Facebook’s “View As” feature that was exploited by hackers to the tune of about 50 million compromised accounts. Whoever discovered that flaw decided to use the bug themselves rather than tell the social network about it.

To stop those system-wide attacks, Facebook has to be lucky every time. Black hats just have to be lucky once, by discovering a systemically exploitable problem before a white hat does. Given how much sensitive personal information is on the social network, that’s a worrying thought.