Facebook launched its bug bounty program and allows the security researchers to find any bug in the Facebook and they will be awarded according to the Bug Bounty Reward Program by Facebook. Recently a bug has been revealed that allows hacker to gain control.
Laxman from India revealed two security bugs already and has been awarded with cash prize and now he revealed a bug that allows any attacker to gain control through the fan pages or any business pages.
Business pages or Fan pages are not meant for single users and are managed by group of people who posts and manages the posts that are made in Facebook page.
Third party Facebook applications are capable of performing operations such as publishing post, publish photos but Facebook doesnot allow them to modify or add admin page roles.
Facebook allows a page administrator to assign different roles to different people in an organisation therough manage_pages, a special access permissions requested but third party apps. Modifying the small parameters will allow the attacker to take complete control over the Facebook page.
Facebook rewarded him with $2500 and the issue has been patched and the video demonstration has been released and it can be found here.
P.S : The post is to create awareness and not to be misused.
No comments:
Post a Comment