14 DAY TRIAL // Arun Sureshkumar, an Indian security researcher, has received a substantial reward from Facebook's security team after helping the company patch a serious bug in its Facebook Pages feature.
The researcher revealed that he was able to identify a method that allowed him to hijack any Facebook Page he wished to, leveraging a flaw in the Facebook Business Manager, an application Facebook created to let businesses manage Facebook Pages in case more than one employee needed access to edit and post content.
Researcher could have hijacked any Facebook Page he wanted
Sureshkumar says that, at the heart of the issue, is an IODR (Insecure Direct Object References) flaw.
An attacker that was aware of the flaw could exploit this issue by intercepting HTTP requests made to the Facebook server, finding specific arguments in the request and editing several parameters.
The attacker could modify the Facebook page parameter, the Facebook user parameter, and the management role parameter to set himself up as an approved editor for any Facebook Page he'd like.
Sureshkumar says the attack worked against any Facebook Page, including the ones of high-profile figures such as Barrack Obama and Bill Gates.
Facebook discovered more bugs thanks to Sureshkumar's report
The researcher disclosed the issue to Facebook in private, and the company decided to pay him an above-average reward because they discovered and patched several other problems while investigating his report.
Back in April 2016, Sureshkumar received another $10,000 from Facebook after he found a way to hijack Facebook accounts by brute-forcing the lookaside.facebook.com subdomain, which Facebook's team forgot to protect. That bug report was based on another one from Anand Prakash, who discovered in March a method to reset user passwords and take over anyone's accounts.
Sureshkumar recorded proof-of-concept videos for both bugs, which you can view below.
