Arun Sureshkumar has been added to Facebook’s wall of thanks and netted himself a cool $16,000 bug bounty for finding a zero-day vulnerability in Facebook Business Manager.
Anyone with knowledge of the bug before it was closed could have taken over or deleted any page on Facebook.
Pages are Facebook’s shop window for organisations, brands and high profile individuals; Coca Cola has one, Kim Kardashian has one and, of course, Naked Security has one.
And they could all have disappeared with just a few clicks.
Facebook Business Manager is Facebook’s tool for managing “advert accounts, Pages, apps and the people who work on them”. Somewhat ironically (you’ll see why in a minute) it’s designed to allow different people in a business to access that organisation’s Facebook assets like ads and Pages without sharing login information.
The hack allowed anyone to add any Facebook Page to their Facebook Business Manager account, with Manager rights, and then do whatever they wanted to it – change it, deface it, delete it.
The attack
To exploit the vulnerability an attacker would have needed two Facebook Business Accounts (let’s call them A and B) and to know the unique ID of each (which is easy, it’s in the URL).
The attacker would then have had to log into Facebook Business Manager, assign account B as a partner of account A and intercept the HTTP request their browser sent to Facebook to make the assignment happen.
HTTP requests are easy to intercept using something like an intercepting proxy – Arun used a popular intercepting proxy called Burp Suite.
The intercepted HTTP request contains four parameters of interest:
parent_business_idThe ID of account Aagency_idthe ID of account Basset_idthe ID of a Pagerolethe access rights
To take over any Page the hacker could simply have put its ID into the asset_id parameter and switched the values in parent_business_id and agency_id, before resending the request.
It really was that simple.
A writeup and timeline of Arun’s research is available on his website, as is the video, embedded below, showing the attack in full.
The flaw
The vulnerability Arun discovered was an Insecure Direct Object Reference, a type of bug that allows an attacker to influence things by manipulating references to it that occur in user-supplied data like URLs or POST request parameters.
In this case Arun was able to manipulate Facebook Pages he didn’t own by manipulating a reference to it, the asset_id, in the payload of an HTTP POST request.
There’s simply no way to stop attackers changing user input like the asset_id. Instead, an application like Facebook Business Manager is supposed to check that users are authorised to carry out the actions it’s asked to perform on their behalf.
When those checks don’t work attackers can cause mayhem.
In the last couple of years we’ve seen hefty bug bounties paid out for Insecure Direct Object Reference vulnerabilities that could have affected billions of users.
In April this year, researcher Arne Swinnen found a flaw that could have made him master of any Instagram account and in February 2015 Laxman Muthiyah found himself in a position to knock out Facebook photo albums at will.
Thankfully in all three incidents the problems were found by the good guys; researchers looking to do some good and pocket some well-earned bug bounties.
So kudos to Arun for his excellent work and well deserved reward, and to Facebook whose speed in dealing with security issues like this is often exceptional.
In this case, Facebook nullified the vulnerability less than six hours after Arun’s report was filed.
