Tuesday 22 October 2013

Playing with Facebook Pages

Back in July I took a look at Facebook Pages. With most of the Facebook CSRF/XSS already fixed I instead focused on abusing the features and permissions at a high level just playing around with the legitimate functionality.

Today I'll talk about two issues that caught my eye.

Ban Your Manager

The first issue I found was a permissions hole in the "ban" feature. For Facebook pages the power hierarchy looks like this: 

Manager -> Content Creator -> Moderator ->  Advertiser -> Insights Analyst  

With the Manager role having the most control and Insight Analyst the least. I created two users Mike (the manager) and Mark (the moderator). While logged in as Mark I tried to delete one of Mike's posts.

Much to my surprise I was given the option of banning the manager...

It turned out if you were a Manager/Content Creator/Moderator you could ban anyone with Manager/Content Creator/Moderator effectively going against the intended power hierarchy.

Also when you get banned there is no information to indicate who banned you, not even in the page activity log. Manager's can unban themselves but there's nothing stopping our attacker from re-banning them. So if you have a rogue moderator or a moderator account that got hacked, an attacker could silently perform a ban DOS. Cool.

Wana be a featured admin?

Probably the most fun issue I found involved the "add a featured admin" functionality. By default, pages don't display the admin but you can set a "featured admin" who will show up publicly on the "about" page. To do this you first need to add the user as a page role, let's go with the lowest permissions:
Now we go to the featured admin page.
And add our admin:

Once added he'll be publicly visible as the page admin.

So where's the security flaw I hear you ask? Well in the above steps did you notice that not once did we ask the user's permission to perform any of these actions? Facebook pages by design do not ask a user's permission before making them an admin or featured admin. The only prerequisite was that the user either liked the page or was a friend of ours.

So with malicious intentions in mind how could we abuse this? Well one possible attack would be to make someone a featured admin then change the content of the page to something malicious and publicize the fact they are the admin.

For example, our page starts out as a normal Breaking Bad fan club, nothing suspicious here...

The manager makes you featured admin, cool, but then changes the content and leaves the page, not cool!

JUSTIN BIEBER!!! NOOOOOOOOOOOOOOOOOO!!!!! So now all your friends see you're the admin of a Justin Bieber fan club and proceed to make fun of you for the next few years :)

I assumed Facebook would notify users when changes like this were made, but that's not always the case. You are notified if you're made an admin for the page, but not notified if you are made the 
publicly visible featured admin! Uh oh.

Final Thoughts

Were these serious issues involving account compromise, data loss or blowing up Facebook servers? Nope. But they were/are features that could be abused for malicious purposes.

It can be easy to class such issues as low severity and dismiss them but targeted exploitation could cause some real damage. Imagine if instead of Justin Bieber, our page was focused on a sensitive political issue and constructed to appear legitimate. What happens if a celebrity or political figure is tricked into being the featured admin? Watch as chaos ensues :)

Pwndizzle out.