Author Topic: Facebook reward Researcher $16,000 For founding Way to Hijack Business Pages  (Read 172 times)

0 Members and 1 Guest are viewing this topic.

Offline legendguru

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 544
    • View Profile
Loading...

Arun Sureshkumar, an Indian security researcher, has received a substantial reward from Facebook's security team after helping the company patch a serious bug in its Facebook Pages feature.
The researcher revealed that he was able to identify a method that allowed him to hijack any Facebook Page he wished to, leveraging a flaw in the Facebook Business Manager, an application Facebook created to let businesses manage Facebook Pages in case more than one employee needed access to edit and post content.

Researcher could have hijacked any Facebook Page he wanted
Sureshkumar says that, at the heart of the issue, is an IODR (Insecure Direct Object References) flaw.

An attacker that was aware of the flaw could exploit this issue by intercepting HTTP requests made to the Facebook server, finding specific arguments in the request and editing several parameters.

The attacker could modify the Facebook page parameter, the Facebook user parameter, and the management role parameter to set himself up as an approved editor for any Facebook Page he'd like.

Sureshkumar says the attack worked against any Facebook Page, including the ones of high-profile figures such as Barrack Obama and Bill Gates.

Facebook discovered more bugs thanks to Sureshkumar's report
The researcher disclosed the issue to Facebook in private, and the company decided to pay him an above-average reward because they discovered and patched several other problems while investigating his report.

Back in April 2016, Sureshkumar received another $10,000 from Facebook after he found a way to hijack Facebook accounts by brute-forcing the lookaside.facebook.com subdomain, which Facebook's team forgot to protect. That bug report was based on another one from Anand Prakash, who discovered in March a method to reset user passwords and take over anyone's accounts.





Loading...
 

Facebook Disabled Page Scam requesting users Credit Card and PayPal data

Started by newspostng

Replies: 0
Views: 227
Last post January 07, 2016, 10:33:17 AM
by newspostng
Facebook Boss Zuckerberg reject criticism that his site Fake News affect US Poll

Started by internet police

Replies: 0
Views: 150
Last post November 16, 2016, 07:20:05 AM
by internet police
Facebook posted surprisingly strong profit and revenue growth in Latest Update

Started by legendguru

Replies: 0
Views: 158
Last post November 05, 2015, 11:18:14 AM
by legendguru
Isis made direct threats against Facebook founder Mark Zuckerberg and Twitter

Started by internet police

Replies: 0
Views: 204
Last post February 25, 2016, 06:32:16 AM
by internet police
Facebook bans users from posting Scunthorpe , enables profanity filter feature

Started by admin

Replies: 0
Views: 212
Last post April 06, 2016, 01:26:40 AM
by admin