The blue social media giant a flaw on its website in the previous month, which allowed a hacker to gain control of the Facebook page. Arun Suresh Kumar, a student at the MES College of Engineering, India, updated Facebook about this flaw in August; this flaw was then fixed by Neal Poole (a security engineer at Facebook), who also informed Arun about the fix.
However, like every professional security researcher, Arun wants to show off his findings in the upcoming security conference, SecCon, which is going to take place in India. And for those of you who would like to study the vulnerability, you can do so by clicking here.
With that said, the flaw, which originates from the Facebook procedure used for processing business account requests, became the reason for a $16,000 reward via the company’s Bug crowd Bounty Program.
The flaw, which was a vulnerable open object, allowed Arun to avoid authorization and obtain the data and other information by editing the values of the factor present – in Facebook’s case, being asset ID digits.
However, according to Arun’s proof of concept, he used only two account numbers to hack into the Facebook Business Page, as only those were required. Initially, Arun first hacked the request, which then allowed him to swap the unique identifier linked to the page. This being his target, he then sent the request again, which in turn, allowed him to become the admin of that page.
Arun stated that if he would have completed the hack, or if anyone had found this flaw, it would have allowed them to take control over any Facebook page, even official pages belonging to people such as the President of the United States. Once the flaw was demonstrated to Facebook, the company only took a few days to set the rate for his reward.
Arun has made a name for himself in the world of Facebook, as he has helped Facebook update their security; and has papered in Facebook’s bounty program for three consecutive years. He also found a bug in Facebook’s system that allowed him to take complete control over a Facebook account; in return the social media company awarded Arun with a $10,000 bounty. The flaw, rooted from the fact that Facebook did not limit the forgot password options, allowed Arun to abuse this feature and over time, take control.
If you want to read more about Arun’s discovery, visit his website.
You want to support Anonymous Independent & Investigative News? Please, follow us on Twitter: Follow @AnonymousNewsHQ
This article (Facebook Updates Page Takeover Vulnerability) is a free and open source. You have permission to republish this article under a Creative Commons license with attribution to the author and AnonHQ.com.
