Application security, Network Security, Patch/Configuration Management, Vulnerability Management

Researcher rewarded for finding Facebook Business Manager account takeover flaw

An Indian security researcher recently earned a $16,000 bug bounty after responsibly disclosing a vulnerability in Facebook Business Manager that, if exploited, could have allowed attackers to take over a targeted victim's Facebook page in a matter of seconds.

Facebook Business Manager is a tool that allows multiple employees to access and manage the same corporate Facebook page and ad accounts. However, the tool contained an Insecure Direct Object Reference vulnerability that allowed attackers “to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object,” explained researcher Arun Sureshkumar in his own blog post, published last week. After learning of the vulnerability on Aug. 29, Facebook patched the bug by Sept. 6, the blog also reported.

To achieve the hack, Sureshkumar created his own business account, and then added a partner from a second account that he also created. Playing the role of attacker, the researcher intercepted the vulnerable partner request, changing its asset ID with the ID of another Facebook page (the target of the hack) and swapping the IDs of the parent business and the partner account, ostensibly reversing their roles. By re-sending the request, Sureshkumar now had admin-level privileges for the targeted page.

Using this technique, attackers could have hijacked any Facebook account and freely performed a variety of damaging actions, including page deletion, Sureshkumar reported.

"We appreciate all the researchers who work closely with our teams to improve the security of Facebook products," said a Facebook spokesperson in an emailed statement to SCMagazine.com. "We're happy to recognize and reward Arun for his excellent report." 

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.