How a Single click can give your Facebook Page Admin access to an attacker?
Hello all,
I had discovered an interesting loophole in Facebook Business where a single click can give the access of your Facebook Page to anyone, which means an attacker can become the “Admin” of any Facebook Page by manipulating the “Admin” of targeted page using Social Engineering tactics.
Social Engineering does not come under Facebook bug listings but I personally believe that a scammer can take advantage of this loophole to hijack a Facebook Page.
Let me describe in step by step:
- Browse Facebook Business https://business.facebook.com/ and log in to you Facebook Account.
2. Click on Business settings
3. Now add your Page there as you can see below, I have added my “Hackers Day” page.
4. Then click on Add button (in blue color) and select “Request access to a Facebook Page”. You will have to select your primary page for request as shown in screenshot below and the click “Next”.
5. Now search any name or Page of which you want to request the access. I have searched the name “Narendra Modi” Official Page as shown below.
6. Here you can see the option of “Admin Access”, click the “Manage Page” and then click on “Request Access”
7. Now your request will go to the Admin of PM Modi’s Facebook Page.
Let me explain how an attacker can easily get access of any Facebook Page by Social Engineering.
- Imagine an attacker creates a Facebook Page with the name such as “Facebook Verification” or with any name to pretend an authentic request.
- Once the “Page Access Request” reaches to the admin of targeted Page, if the attacker has smartly created the fake Facebook Page then the admin can easily believe that the request has come from the authentic source and once the Admin “accepts the request”, the Page can be easily hijacked by the attacker.
- Let me create a real scenario to explain how anyone can accidentally or by getting manipulated by the attacker, can approve the access request.
I own a Page named “Hackers Day”, therefore I am using this Page as an attacker.
Now, I have created a target Page named “Soft Yug” where I will send “Page Access Request” as you can see below in screenshot.
As you can see in the screenshot below, I have sent the Request Access to “Soft Yug” Page.
Now when I logged in to my another account in which I have created “Soft Yug” Page as target page, you can clearly see below in the screenshot there is a “Pending partner request” from the attacker Page “Hackers Day”
Once I accept the request by clicking “Accept Request”, “Hackers Day” will become the “Admin” of targeted Page as shown below in screenshot.
Now take a look at permissions which an attacker will get once his request gets accepted.
The attacker will become the “Admin” of targeted Page. Attacker can remove another (real admin) and can publish posts on hijacked page. Attacker can read or send messages from the hijacked account.
Now you can understand how an attacker can easily manipulate any Page Admin by doing good “Social Engineering” because Social Engineering is the “Most Effective” attack, even Today and we have already seen recently in celebrities' Twitter Accounts Hack which was done using Social Engineering with internal team of Twitter.
Nitin Pandey
contact[at]nitinpandey[dot]info
Facebook/Twitter/Instagram: @initinpandey
