Facebook quickly resolved a vulnerability in its Business Manager tool late last month that could have let an attacker take over any Facebook page.
Arun Sureshkumar, a security researcher in India, disclosed the vulnerability Aug. 29; a member of Facebook’s security team, Neal Poole, informed him the following day it had been fixed.
Sureshkumar, a student at MES College of Engineering, in Kuttippuram, described the disclosure process in a blog post on Friday. He plans to go into further detail on the bug at 0SecCon, a security conference in India, later this month.
The bug, which stems from the way Facebook processed requests for business accounts, fetched him a $16,000 bounty through Facebook’s Bugcrowd bug bounty program. The bug, technically an insecure direct object reference vulnerability, allowed him to bypass authorization and access resources such as database entries by modifying the value of a parameter, in this case an asset id numbers.
According to his proof-of-concept disclosure, Sureshkumar only needed two business account numbers to carry out the attack. He first intercepted a request, swapped a unique identifier associated with the page he wanted to hack, and resent the request. Afterwards, Sureshkumar could simply assign himself as the page’s administrator to achieve full access.
If exploited Sureshkumar claims the bug could’ve allowed him to take over a Facebook page, even those belonging to popular figures like Bill Gates, and Barack Obama, and carry out a handful of actions, including page deletion. Once an attacker was in control of a Facebook page they could carry out a handful of actions.
It took a few days for Facebook to determine how much money to award the researcher but late last week a member of the site’s security team said his bug merited a $16,000 bounty.
“A majority of the bounty is for the page takeover capability of your exploit, but while investigating your report we discovered and fixed another issue as well, so the bounty is a little higher because of that,” read part of the email, according to Sureshkumar.
Sureshkumar is no stranger to finding bugs in the social media site. He’s appeared on Facebook’s white hat responsible disclosure list three years in a row.
A bug he dug up in Facebook back in April also could have led to a full account takeover. That vulnerability, which Facebook paid him $10,000 for, stemmed from the fact that Facebook didn’t enforce rate limiting, usually used to control the rate of traffic sent or received from sites. He discovered that by exploiting Facebook’s forgotten password option he could take over accounts and view messages, photos, and any other stored credentials.