An Indian security researcher has discovered a zero-day in the Facebook Page which allowed him to hijack any FB Page belonging to any organisation. Arun Sureshkumar discovered a zero-day in how the Facebook handles requests for its business accounts. Arun has described his bug discovery on his Blogspot where he says he can take over Facebook Page belonging to anybody like President Obama, Prime Minister Modi etc. Facebook Business Manager lets businesses more securely share and control access to their ad accounts, Pages, and other assets on Facebook. Anyone in a business can see all of the Pages and ad accounts they work on in one place, without sharing login information or being connected to their coworkers on Facebook. Arun found that he could deceive Facebook into allowing to access any Facebook Page through its Business Manager zero-day using Insecure Direct Object References vulnerability. Here is a video Arun’s Facebook hack PoC :
Arun informed Facebook about the vulnerability and the FB Security Team acknowledged that the zero-day is highly critical. Facebook temporarily patched the flaw by removing the end-point and then issued an update to completely patch the zero-day in a week. Arun was paid $16,000 for his bug discovery.
