How to become admin of any facebook fan page (Hijack Facebook Fan Page)

Hacking Any Facebook Page


The latest bug in Social networking site facebook could allow attackers to take over control of your Facebook pages.

Laxman Muthiyah from India has found an issue with the "Facebook business pages" that are not limited to a single user account, but instead represent a business account.

Laxman used third-party application to take complete control of a Facebook business page with limited permissions.


Third party applications are capable of performing different action for user like status update, publishing photos, and Post. Facebook don't allow to any third party application to add or modify admin of page. Facebook only allow a admin of page to manage the permission of account.



However, Laxman demonstrated that,modification in simple string of requests to make himself as admin of the particular Facebook page.

The string is given below:
POST /PGID/userpermissions HTTP/1.1
Host: graph.facebook.com
Content-Length: 245
role=MANAGER&user=X&business=B&access_token=AAAA…
Here, page PGID belongs to business B, where one can manage_pages request to make user 'X' as a MANAGER (assign as an administrator) of the page.

This means these small changes in the string could allow an attacker to gain complete control over your Facebook page.

Laxman reported the flaw to the Facebook security team and received the reward of $2500 USD as a part of Facebook's bug bounty program.

Post a Comment

0 Comments