A new method of hacking Facebook accounts can take less than 10 seconds to utilize. All that’s needed are two Facebook Business Manager accounts. The researcher received a $16,000 bounty for discovering the exploit.
The Facebook Business Manager Security Issue
Facebook Business Manager is a service for joint multi-person moderation of one Facebook page. As the name implies, the tool is used mainly for commerial Facebook pages. The methods works through Insecure Direct Object References:
Excerpt from Owasp.org:
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example, database records or files.
Arun Sureshkumar is the cybersecurity expert that uncovered the exploit. He’s an Indian university student and has discovered Facebook exploits in the past. He reported the unsecure Facebook Business Manager element back in August and updated his blog on September 16.
According to Sureshkumar, the exploit could be used to breach any Facebook profile (he cited Bill Gates, Narendra Modi, and Barack Obama.) Luckily, the problem was resolved before being utilized by any hackers.
Side-services like Facebook Business Manager and others are often used for cross-hacking. The access to outside applications can fasten the process of using a site like Facebook, Twitter, etc. The problem is that the otherwise sound security of these networks is jeopardized by the outside entity. The inclusion of more services means that there are more targets to hit.
For example, PayPal’s official email service was used to spread the Chthonic Trojan Virus. A new messaging service that was introduced allowed cybercriminals to send infected URLs through a legitimate email.
Nowadays there is no security system that’s waterproof, especially those employed by social media sites. The Facebook team does what it can to prevent security issues, however, the sheer size of the social network makes it a big and easy target. Nowadays everyone can be hacked, as OurMine claims.