How one man could have taken over any business on Facebook | Cyber Security

The flaws in Facebook‘s social network just keep coming. The latest one, luckily discovered and reported by a white hat researcher, enabled anyone on Facebook to make themselves (or anyone else) an administrator for any Facebook business account.

Facebook’s business accounts are designed to let the likes of businesses, charities and publications manage their presence on the social network. Admins can handle advertising, message followers, post updates on Facebook pages, and add and remove other people entitled to manage the business account.

Security researcher Philippe Harewood says on his blog that he discovered a way to import administrators to a business account via a call to the social network’s website that didn’t have any access control set on it. This made it possible to add anyone as an administrator to any business account, he claimed.

The attack could be executed by making a simple HTTP post to Facebook’s site that included the ID of the targeted business, the ID of the attacker’s account, and a session ID. In a demo video on the blog, he shows himself making an HTTP post to Facebook and then showing the new admin added in the Facebook Business Manager.

He said:

This could have let an attacker without an existing role, take over any business account and gain access to various business assets (Facebook pages, Ad accounts, applications, Instagram accounts) connected to the business.

Harewood says that he reported the vulnerability to Facebook on 9 October, and the company began investigating on the same day. It fixed it within six working days and then awarded him a $27,500 bounty.

He is one of 139 people that Facebook thanked on its bug bounty appreciation page for this year. Last year, the average reward per submission increased to almost $1,900, the company said, and it paid out a total of over $880,000 to researchers, bringing its total paid out to over $6.3 million.