Author Topic: Facebook reward Researcher $16,000 For founding Way to Hijack Business Pages  (Read 216 times)

0 Members and 1 Guest are viewing this topic.

Offline legendguru

  • Global Moderator
  • Hero Member
  • *****
  • Date Registered: Sep 2015
  • Posts: 648
  • Karma: +1/-0
    • View Profile
Loading...

Arun Sureshkumar, an Indian security researcher, has received a substantial reward from Facebook's security team after helping the company patch a serious bug in its Facebook Pages feature.
The researcher revealed that he was able to identify a method that allowed him to hijack any Facebook Page he wished to, leveraging a flaw in the Facebook Business Manager, an application Facebook created to let businesses manage Facebook Pages in case more than one employee needed access to edit and post content.

Researcher could have hijacked any Facebook Page he wanted
Sureshkumar says that, at the heart of the issue, is an IODR (Insecure Direct Object References) flaw.

An attacker that was aware of the flaw could exploit this issue by intercepting HTTP requests made to the Facebook server, finding specific arguments in the request and editing several parameters.

The attacker could modify the Facebook page parameter, the Facebook user parameter, and the management role parameter to set himself up as an approved editor for any Facebook Page he'd like.

Sureshkumar says the attack worked against any Facebook Page, including the ones of high-profile figures such as Barrack Obama and Bill Gates.

Facebook discovered more bugs thanks to Sureshkumar's report
The researcher disclosed the issue to Facebook in private, and the company decided to pay him an above-average reward because they discovered and patched several other problems while investigating his report.

Back in April 2016, Sureshkumar received another $10,000 from Facebook after he found a way to hijack Facebook accounts by brute-forcing the lookaside.facebook.com subdomain, which Facebook's team forgot to protect. That bug report was based on another one from Anand Prakash, who discovered in March a method to reset user passwords and take over anyone's accounts.




 

 

Facebook Disabled Page Scam requesting users Credit Card and PayPal data

Started by newspostng

Replies: 0
Views: 246
Last post January 07, 2016, 10:33:17 AM
by newspostng
Facebook Boss Zuckerberg reject criticism that his site Fake News affect US Poll

Started by internet police

Replies: 0
Views: 235
Last post November 16, 2016, 07:20:05 AM
by internet police
Facebook posted surprisingly strong profit and revenue growth in Latest Update

Started by legendguru

Replies: 0
Views: 184
Last post November 05, 2015, 11:18:14 AM
by legendguru
Isis made direct threats against Facebook founder Mark Zuckerberg and Twitter

Started by internet police

Replies: 0
Views: 221
Last post February 25, 2016, 06:32:16 AM
by internet police
Facebook bans users from posting Scunthorpe , enables profanity filter feature

Started by admin

Replies: 0
Views: 233
Last post April 06, 2016, 01:26:40 AM
by admin
Google, Facebook & Twitter sues by Paris attack victim for spreading ‘propaganda

Started by yungcrux

Replies: 0
Views: 188
Last post June 16, 2016, 12:39:35 PM
by yungcrux
Facebook set to scrap Phone number as means of communication,New platform coming

Started by newspostng

Replies: 0
Views: 188
Last post January 15, 2016, 09:59:35 AM
by newspostng
Facebook roll out Lists of Custom-Picked Event Recommendations features

Started by admin

Replies: 0
Views: 158
Last post June 29, 2016, 01:31:53 AM
by admin
Facebook Boss Mark Zuckerberg Impregnate his wife Priscilla Chan again

Started by Postmaster

Replies: 0
Views: 263
Last post March 10, 2017, 04:47:06 AM
by Postmaster
Fewer People Are Using Facebook in 2015 despite Massive user's Statistics

Started by legendguru

Replies: 0
Views: 341
Last post November 10, 2015, 01:42:50 PM
by legendguru