How any Facebook page could have been hijacked or deleted... in just 10 seconds

Can you imagine just how much online criminals would pay to be able to hijack, and even delete, any page on Facebook?

Facebook pages are used by organisations, businesses and high profile figures like FC Barcelona (94 million fans), Vin Diesel (100 million fans), and Shakira (104 million fans) to promote their brands and are an essential part of their marketing.

Hey, even Bitdefender has a thriving Facebook page, where we keep over one million fans (and counting!) up-to-date on the latest security threats and share advice on how to keep your computer safe online.

For a celebrity or well-known brand to lose control of its Facebook page could be catastrophic, eroding the trust of fans and – potentially – spreading malicious links or hate speech.

It’s easy to picture how a hacker could demonstrate their power to break into a particular Facebook page, and then attempt to extort money from the page’s legitimate owner by making threats of doing it again in a more malicious way next time.

My guess is that if someone were able to devise a way of hacking any page on Facebook, that criminal gangs would be prepared to pay a pretty penny for the method.

Chances are that a hacking gang would pay more than the $16,000 Facebook has just paid a security researcher who uncovered a method to takeover any Facebook page in less than 10 seconds.

Arun Sureshkumar responsibly disclosed the vulnerability to Facebook’s security team at the end of August, and will share further details of the flaw at the 0SecCon being held in India later this month.

As Sureshkumar demonstrates in a proof-of-concept YouTube video he made of the exploit, an insecure direct object reference vulnerability allowed him to bypass authorisation checks in Facebook Business Manager – the free feature which allows multiple members of a team to share access to a Facebook page without having to share login details.

The video – best viewed in full screen mode – sees Sureshkumar change a business ID number in a web request to that of the ID number of the page he wants to hack, granting him the required rights to surreptitiously add himself as a manager of the targeted Facebook page.

Clearly Facebook should have done a better job at checking whether the request was authorised, rather than just saying “Oh, I’ll trust that parameter I’ve been passed as genuine”.

In his blog post, Sureshkumar explains that he could have taken over the pages of famous figures such as Bill Gates and Barack Obama, and performed critical actions such as page deletion.

For its part, Facebook’s security team appears to have patched the vulnerability rapidly – and decided to reward Sureshkumar through its bug bounty program:

“I wanted to reach out and inform you that we have decided to pay you a bounty of 16,000 dollars for this report. A majority of the bounty is for the page takeover capability of your exploit, but while investigating your report we discovered and fixed another issue as well, so the bounty is a little higher because of that. You can expect the standard longer payout message later in the week.”

Well done to Facebook for fixing the problem, Sureshkumar for finding it in the first place and for his responsible disclosure.

But I can’t help but feel that this vulnerability would have been worth much more than $16,000 on the criminal underground – and that Facebook might want to assess its bounty rewards in future to ensure that vulnerability researchers are properly rewarded, and not tempted by the dark side…