Until very recently, there was a zero-day vulnerability in the Business Manager function on Facebook that could have allowed anyone to access, wreak havoc upon, and/or destroy any business’s representation on the social network if they so pleased. Fortunately, researcher Arun Sureshkamar discovered it, allowing Facebook to nullify the vulnerability.
Businesses, well-known public figures, and brands can create their own pages on Facebook. These pages are maintained by using the Business Manager, where page owners can manage accounts and the other users who are authorized to alter the page. As a part of its design, different business members were supposed to be able to access the business page and its assets.
Not included in the design, but available anyway through a hack, was the ability for anyone to access the page, free to wreak havoc on the page, or just delete it if they pleased. The attack required two Facebook Business Accounts, One and Two in the following example, and for the attacker to know what each page’s unique ID was, which could be found in the URL.
All the attacker would have to do is assign One and Two as partners and intercept the HTTP request with an intercepting proxy before their browser sent it along to Facebook HQ. This would provide them with the IDs of accounts One and Two, the page’s ID, and the access rights. At that point, the hacker simply inputs the Business page’s ID in and switches the account IDs of One and Two before sending the request as if nothing had happened. This flaw is known as an Insecure Direct Reference, and it can cause an absolute calamity if the wrong person makes use of them.
The prospect of a Business Page being so easily accessed and altered by an outsider would very likely terrify many business owners, and rightly so. As the public face of the company, a Facebook page is where many consumers and service providers go to form their first impression. If a page is handled improperly, that impression could also be the last, as the visitor moves along to another relevant page.
Fortunately for businesses everywhere, Facebook eliminated the vulnerability within six hours after Sureshkamar submitted his report, earning himself a hefty bug bounty for his efforts.
For more tech news, along with tips, tricks and best practices, be sure to check back to our blog.
Comments