FacebookOtherSocial Media

Hacking Facebook Fan Pages with a Simple Trick!

Hacking Facebook Fan Pages with a Simple Trick!

Laxman Muthiyah India Hacker Found a way to Hijack your Fan Pages with a Simple Trick, he has discovered his third bug of this year in the widely popular social network, that just made a new record by touching 1 Billion users in a single day. He Discovers serious security flaw in Facebook Graphs that allowed him to view or probably delete others photo album on Facebook, even without having authentication. Right after the month, Laxman uncovered another critical vulnerability in social network platform that resided in the Facebook Photo Sync Feature, that automatically uploads photos from your mobile device to a private Facebook Album, which isn’t visible to any of friends and other Facebook members.

However, the flaw discovered by Laxman could allowed any third-party app to access and steal your personal photographs from the hidden Facebook Photo Sync album.

Hacking Any Facebook Page

Third party Facebook applications are capable of performing all sets of operations, including post status on your behalf, publishing photos, and other tasks, but Facebook doesn’t allow them to add or modify page admin roles.
Facebook allows a page administrator to assign different roles to different people in the organisation through manage_pages, a special access permission requested by third-party apps.
However, according to Laxman, an attacker can use a simple string of requests in an attempt to make himself as admin of the particular Facebook page.

Sample Request

The string something look like this:

POST /PGID/userpermissions HTTP/1.1
Host: graph.facebook.com
Content-Length: 245

Here, page PGID belongs to business B, where one can manage_pages request to make user ‘X’ as a MANAGER (assign as an administrator) of the page.
This means these small changes in the request parameters could allow an attacker to gain complete control over your Facebook page.

Video Demonstration

Laxman has also provided a video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:


Hacking Facebook Pages
Another Serious Vulnerability in FacebookVulnerability : Hacking Facebook PagesStatus : FixedReward $2500 USDProof Of Concept : http://www.7xter.com/2015/08/hacking-facebook-pages.html
Posted by 7xter on Wednesday, August 26, 2015

Laxman reported the flaw to the Facebook security team and received the reward of $2500 USD as a part of Facebook’s bug bounty program.
Though the social network has now fixed the loophole, you must always be aware of the permissions you grant to any third-party applications.

Related Articles

Back to top button