Sophos Cloud Optix
The flaws in Facebook’s social network just keep coming. The latest one, luckily discovered and reported by a white hat researcher, enabled anyone on Facebook to make themselves (or anyone else) an administrator for any Facebook business account.
Facebook’s business accounts are designed to let the likes of businesses, charities and publications manage their presence on the social network. Admins can handle advertising, message followers, post updates on Facebook pages, and add and remove other people entitled to manage the business account.
Security researcher Philippe Harewood says on his blog that he discovered a way to import administrators to a business account via a call to the social network’s website that didn’t have any access control set on it. This made it possible to add anyone as an administrator to any business account, he claimed.
The attack could be executed by making a simple HTTP post to Facebook’s site that included the ID of the targeted business, the ID of the attacker’s account, and a session ID. In a demo video on the blog, he shows himself making an HTTP post to Facebook and then showing the new admin added in the Facebook Business Manager.
He said:
This could have let an attacker without an existing role, take over any business account and gain access to various business assets (Facebook pages, Ad accounts, applications, Instagram accounts) connected to the business.
Harewood says that he reported the vulnerability to Facebook on 9 October, and the company began investigating on the same day. It fixed it within six working days and then awarded him a $27,500 bounty.
He is one of 139 people that Facebook thanked on its bug bounty appreciation page for this year. Last year, the average reward per submission increased to almost $1,900, the company said, and it paid out a total of over $880,000 to researchers, bringing its total paid out to over $6.3 million.
Harewood isn’t the only researcher to have discovered a yawning hole in Facebook’s defences that could have allowed a single attacker to affect many of its records:
Delete any page. In 2016, Naked Security reported on a $16,000 bug bounty paid to a researcher who discovered how to delete any Facebook page. That attack allowed anyone to add any Facebook page to their Facebook Business Manager account with management rights, and then do whatever they wanted to with it, including changing its content or deleting it altogether. That researcher got paid a healthy $16,000 for discovering the flaw.
Delete any image. Last November, a researcher scooped a $10,000 bounty from Facebook after finding a way to exploit insecure direct object references, which allows a user to change the ID of an object they owned to reference someone else’s object and then manipulate it without authorization. In that case, the bug would have allowed him to delete any image in Facebook’s database.
Delete any video. Earlier that year, another researcher worked out how to delete any video on the social network without permission. That bug involved posting a video to a public event and then replacing that video’s ID in an HTTP post with the ID of the video that the attacker wanted to delete. Facebook would replace the video in the event post with the targeted one, which the attacker could then erase. That discovery also netted a $10,000 reward.
All of those were found by bug bounty hunters looking to do the right thing. The one that got away was the recently discovered flaw in Facebook’s “View As” feature that was exploited by hackers to the tune of about 50 million compromised accounts. Whoever discovered that flaw decided to use the bug themselves rather than tell the social network about it.
To stop those system-wide attacks, Facebook has to be lucky every time. Black hats just have to be lucky once, by discovering a systemically exploitable problem before a white hat does. Given how much sensitive personal information is on the social network, that’s a worrying thought.
I’ll go back to my comment I made on another Facebook article which even the author jumped on me for.
Facebook is dying, it is a community of people waiting to quit, or people that aren’t paying attention to the failings a MAJOR UNITED STATES tech company is making time and time again.
We should be demanding more from our most valued tech companies, especially one in which fraud occurs on and that manipulates masses…
Vice news on HBO has had some great coverage on being able to post political paid for adds on FB and show they are paid for by politicians that really have no idea their name is being invoked…
Funny. I reported this about 2 years ago. They got back to me and said they seen no flaw. They always say the same thing when I report an issue. I actually took over my buddies page just for a laugh. But later gave it back to him. I used that as proof of concept. Oh well. At Least it’s finally fixed now…. or is it.
Not fixed. My client just had this happen. She received a notification that she was changed from Admin to editor. When we went into her page, a new company now has control of her page. We have sent several inquiries to Facebook without any response whatsoever. This is so unacceptable. Not only did they do it to her page but also to her partner’s business page.
Just to be clear – the fact that your client had the same thing happen as described here doesn’t mean that it happened due to this bug. (I know someone who flooded their kitchen by leaving the bath running in the bathroom above until it overflowed. That doesn’t mean that everyone who ever flooded their kitchen left a tap on upstairs.)
For example, someone could have guessed or phished her password, or bribed a colleague or contractor to make the change unlawfully, or used malware on her computer to control her browser remotely… note that I’m not saying any of those happened, just suggesting that there are many possible explanations. Make sure you don’t get distracted by following a red herring.
If you need to recover the account manually, including sending ID and other evidence to Facebook, it might undertandably take a while to get anywhere.