Bug bounty program is a deal which is offered by software companies and websites wherein any individuals can expose a loophole or a vulnerability affecting the system and they will receive the recognition and compensation they deserve. The bug bounty programs help companies to address the issues before the public is aware of it thus preventing mishappenings.
Laxman Muthiyah is one such ethical hacker from India who hit the headlines recently after he discovered a bug in the Facebook graphs that would allow to delete others photo album by using their own Facebook for Android token.
This time around, Laxman has unearthed a security vulnerability that would allow a third party application to take control of a Facebook business page with limited permissions, and this will make the victim possibly lose admin access to the page permanently.
Third party Facebook applications are allowed to only to read the details of the page using nodes of graph api and are restricted from performing any other operations but this rule doesn’t apply to the business pages which can be read, updated and deleted by third party apps. According to Laxman, a simple string of requests will make the target user as admin of the page.
The mere removal of the business parameter from the request allows the attacker to gain complete access to the Facebook page in question. In essence, any application which has been given “manage_pages” permission can hack all your Facebook pages. In case you had trouble following the Modus Operandi, the video will walk you through the entire procedure.
Laxman claims that he had earlier reported the bug to Facebook and they fixed the vulnerability for the non-business pages, however the business pages are still exposed to the threat and the best precaution would be to deny manage pages permission to all third party apps.
Facebook has not only recognized the effort put in by Laxman to dig out the vulnerability but have also rewarded him $2,500 as a token of appreciation. But for some reason, they insist that they can’t fix the vulnerability for business pages, which leaves millions of them waiting to be hacked.