Hacking Facebook Page: This Trick Can Hijack Your Page

Security researcher Laxman Muthiyah, has recently discovered a new bug in ‘Facebook pages’ that allows attackers to hack and take control of any Facebook page that is managed by multiple users on a role basis. Facebook has already fixed this bug and awarded the researcher with bounty.

Although the bug has been fixed already, you should be aware of this trick and protect your page from getting hacked in future. So lets start with how Laxman used this trick.

To hack a Facebook page, Laxman exploited a vulnerability found in the Facebook business manager endpoint that allows third-party apps to hack any Facebook page with limited permissions and remove page admin roles from the victim.

Many Facebook business page owners use third-party apps to post automated statuses, publish photos, get fake likes and get other insights. By default, when the user uses a third-party app for his business page, it is allowed to add or modify page admin roles (page roles like manager, editor, analyst, etc..) But the vulnerability allows hackers to use rogue app that could add some user as admin to the page and permanently remove the actual admins.

See also: How to Hack Facebook Account

How to hack Facebook fan page

Following are the requests used by the hacker to hack the Facebook page.

Page Takeover (Request):

POST /<page_id>/userpermissions HTTP/1.1
 Host :  graph.facebook.com
 Content-Length: 245
 role=MANAGER&user=<target_user_id>&access_token=<application_access_token>

Removing Victim (Request):

Delete /<page_id>/userpermissions HTTP/1.1
 Host :  graph.facebook.com
 Content-Length: 245
 user=<target_user_id>&access_token=<application_access_token>

How does Facebook page hacking work?

  1. A hacker sets up a rogue Facebook app that contains the above requests.
  2. He then creates a website offering Facebook page likes.
  3. After everything is set, he then lures Facebook page owners to get more likes or reveal insights about their page.
  4. The page owner (victim) accesses the hacker’s website and clicks the Facebook login button, which will trigger a rogue app built by the hacker and eventually give control to his Facebook page.
  5. Instead of getting page likes, the victim loses ownership of the page.

Watch the video demonstration here:
https://www.facebook.com/7xter/videos/707721066037025/

Action: Never fall for any free likes or other fan page gimmicks that require you to give permissions to your page. Always double-check the permissions you grant to any third-party applications.

Related posts:

  1. Facebook Hack Tool
  2. Facebook Phishing Email Examples
  3. Fake Facebook Account: How to Tell If a Facebook Profile Is Fake
  4. How to Track Location of Facebook User
  5. Can Police Track Fake Facebook Accounts?
  6. How to Find IP Address from Facebook Profile
  7. Facebook: Invite All Your Friends to Like a Page

Ashwin S

A cybersecurity enthusiast at heart with a passion for all things tech. Yet his creativity extends beyond the world of cybersecurity. With an innate love for design, he's always on the lookout for unique design concepts.