An Indian security researcher recently earned a $16,000 bug bounty after responsibly disclosing a vulnerability in Facebook Business Manager that, if exploited, could have allowed attackers to take over a targeted victim's Facebook page in a matter of seconds.
Facebook Business Manager is a tool that allows multiple employees to access and manage the same corporate Facebook page and ad accounts. However, the tool contained an Insecure Direct Object Reference vulnerability that allowed attackers “to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object,” explained researcher Arun Sureshkumar in his own blog post, published last week. After learning of the vulnerability on Aug. 29, Facebook patched the bug by Sept. 6, the blog also reported.
To achieve the hack, Sureshkumar created his own business account, and then added a partner from a second account that he also created. Playing the role of attacker, the researcher intercepted the vulnerable partner request, changing its asset ID with the ID of another Facebook page (the target of the hack) and swapping the IDs of the parent business and the partner account, ostensibly reversing their roles. By re-sending the request, Sureshkumar now had admin-level privileges for the targeted page.
Using this technique, attackers could have hijacked any Facebook account and freely performed a variety of damaging actions, including page deletion, Sureshkumar reported.
"We appreciate all the researchers who work closely with our teams to improve the security of Facebook products," said a Facebook spokesperson in an emailed statement to SCMagazine.com. "We're happy to recognize and reward Arun for his excellent report."