1. Hacking any actions on Facebook account – A CSRF Bypass
This CSRF vulnerability allows the attacker to take over the account completely and also it has the ability to perform any actions like liking page, posting a photo, etc. on the victim’s Facebook account anonymously without hacking into the account.
This flaw existed in the ads manager endpoint. The sample account take over CSRF request look like this
POST /ads/manage/home/?show_dialog_uri=/settings/email/add/submit/?new_email=<attacker_email>
All the attacker has to do is to craft a CSRF page with a form to auto submit the post request in an iframe when the victim lands on the page. The attacker’s email will be added to the victim’s account anonymously.
Then the attacker can hack into victim’s Facebook account by resetting the password.
This was found by Pouya Darabai in 2015 and got a bounty of $15,000 through Facebook bug bounty program.
2. Hack any Facebook page without being an admin
This Facebook page hacking method was found by Arun in 2016 and has got a reward of $16,000 USD for it.
Business manager endpoint used to assign a partner was vulnerable in this case. Changing the partner business asset ID parameter to a page ID allowed Arun to hack into any page.
Sample Request
POST /business_share/asset_to_agency/
Host: business.facebook.com
parent_business_id=<business_id>&agency_id=<business_id>&asset_id=<target_page_id>
Business ID parameter should be assigned to the attacker’s business ID and asset ID parameter should be replaced with the target Facebook page ID.
That is it. Now the target page should be owned by the business. The attacker can remove the existing page admins to completely take over the Facebook page.
3. Hacking Facebook user’s Private Photos
This private photos vulnerability was found by me in 2015 and got a reward of $10,000 as a part of their bounty program.
What do I mean by Private photos in the first place? The photos that you have in mobile and not published to Facebook those are the ones I mean when I say private photos.
The mobile app has a default feature called syncing mobile photos. Interestingly this feature was turned on by default in some mobile phones.
This feature uploads your mobile photos to FB server but keeps it private until you manually publish it to Facebook.
A Vulnerability in an endpoint handling these private photos allows any third party app to view/access user’s private photos. For this attack to work, the third party app must have access to user’s public photos, only then it can access the private photos.
Sample request to Graph API to access the private photos of victim looks like this
GET /me/vaultimages
Host: graph.facebook.com
access_token=<victim_access_token>
That’s it. The response from the API endpoint should have the URLs to private photos of the victim.
Facebook patched the issue by whitelisting the apps that can access vaultimages endpoint.
4. Hacking any Facebook user’s Photos
Arul Kumar found a way to delete any photo on Facebook in 2013 and they rewarded him $12,500 for his efforts.
Facebook has a feature to report photo to the owner if someone want to get the photo removed. The owner of the photo gets a notification and a link to delete the photo once reported by someone.
Arul found that the support dashboard photo reporting feature wasn’t validating the owner IDs properly thus it allowed him to replace the owner ID parameter with his own Facebook account ID to get the photo deletion link directly.
Then the attacker can delete the photo with the help of gained link from the exploit. The worst part about this attack is that the victim won’t know the photo was deleted. This vulnerability is completely fixed now.
5. Hack any Facebook user’s photo/video Albums
This vulnerability was found by me in 2015 that allowed me to take down any albums on Facebook. Albums with thousands of photos and videos can be deleted instantly without the interaction of its owner.
Graph API is the primary way of communication between the server and native/third party apps. Albums node of Graph API endpoint was vulnerable to insecure object reference thus it allowed me to issue any user’s album ID to process the deletion.
A sample request to delete any Facebook photo album
POST /<album_id>
Host: www.facebook.com
access_token=<top_level_facebook_access_token>&method=delete
This could delete the album specified in the ID parameter. The attacker should have the permission to view the album to complete the attack. Facebook patched this issue by fixing the endpoint to only allow users with privileges and rewarded me $12,500 USD for reporting the vulnerability.
This CSRF vulnerability allows the attacker to take over the account completely and also it has the ability to perform any actions like liking page, posting a photo, etc. on the victim’s Facebook account anonymously without hacking into the account.
This flaw existed in the ads manager endpoint. The sample account take over CSRF request look like this
POST /ads/manage/home/?show_dialog_uri=/settings/email/add/submit/?new_email=<attacker_email>
All the attacker has to do is to craft a CSRF page with a form to auto submit the post request in an iframe when the victim lands on the page. The attacker’s email will be added to the victim’s account anonymously.
Then the attacker can hack into victim’s Facebook account by resetting the password.
This was found by Pouya Darabai in 2015 and got a bounty of $15,000 through Facebook bug bounty program.
2. Hack any Facebook page without being an admin
This Facebook page hacking method was found by Arun in 2016 and has got a reward of $16,000 USD for it.
Business manager endpoint used to assign a partner was vulnerable in this case. Changing the partner business asset ID parameter to a page ID allowed Arun to hack into any page.
Sample Request
POST /business_share/asset_to_agency/
Host: business.facebook.com
parent_business_id=<business_id>&agency_id=<business_id>&asset_id=<target_page_id>
Business ID parameter should be assigned to the attacker’s business ID and asset ID parameter should be replaced with the target Facebook page ID.
That is it. Now the target page should be owned by the business. The attacker can remove the existing page admins to completely take over the Facebook page.
3. Hacking Facebook user’s Private Photos
This private photos vulnerability was found by me in 2015 and got a reward of $10,000 as a part of their bounty program.
What do I mean by Private photos in the first place? The photos that you have in mobile and not published to Facebook those are the ones I mean when I say private photos.
The mobile app has a default feature called syncing mobile photos. Interestingly this feature was turned on by default in some mobile phones.
This feature uploads your mobile photos to FB server but keeps it private until you manually publish it to Facebook.
A Vulnerability in an endpoint handling these private photos allows any third party app to view/access user’s private photos. For this attack to work, the third party app must have access to user’s public photos, only then it can access the private photos.
Sample request to Graph API to access the private photos of victim looks like this
GET /me/vaultimages
Host: graph.facebook.com
access_token=<victim_access_token>
That’s it. The response from the API endpoint should have the URLs to private photos of the victim.
Facebook patched the issue by whitelisting the apps that can access vaultimages endpoint.
4. Hacking any Facebook user’s Photos
Arul Kumar found a way to delete any photo on Facebook in 2013 and they rewarded him $12,500 for his efforts.
Facebook has a feature to report photo to the owner if someone want to get the photo removed. The owner of the photo gets a notification and a link to delete the photo once reported by someone.
Arul found that the support dashboard photo reporting feature wasn’t validating the owner IDs properly thus it allowed him to replace the owner ID parameter with his own Facebook account ID to get the photo deletion link directly.
Then the attacker can delete the photo with the help of gained link from the exploit. The worst part about this attack is that the victim won’t know the photo was deleted. This vulnerability is completely fixed now.
5. Hack any Facebook user’s photo/video Albums
This vulnerability was found by me in 2015 that allowed me to take down any albums on Facebook. Albums with thousands of photos and videos can be deleted instantly without the interaction of its owner.
Graph API is the primary way of communication between the server and native/third party apps. Albums node of Graph API endpoint was vulnerable to insecure object reference thus it allowed me to issue any user’s album ID to process the deletion.
A sample request to delete any Facebook photo album
POST /<album_id>
Host: www.facebook.com
access_token=<top_level_facebook_access_token>&method=delete
This could delete the album specified in the ID parameter. The attacker should have the permission to view the album to complete the attack. Facebook patched this issue by fixing the endpoint to only allow users with privileges and rewarded me $12,500 USD for reporting the vulnerability.