Facebook Business Manager is Facebook’s tool for managing advertisement accounts, Pages, Apps and the people who work on them. Pages, as most of you know, are Facebook’s shop window for organizations, brands, and high profile individuals; Coca-Cola has one and of course, our dear old Nutella has one. And they would all have disappeared with just a few clicks, had it not been for Arun Sureshkumar.
This young prodigy who hails from Kerala figured out that the Facebook Business Manager tool was infected with an Insecure Direct Object Reference. What is IDOR you ask? Well, it is a type of bug that allows an attacker to influence things by manipulating references to it that occur in user-supplied data like URLs or POST request parameters. To authenticate his claim, Arun created his own business account, and then added a partner from a second account that he created himself. Playing the role of attacker, he intercepted the vulnerable partner request, changed its asset ID with the ID of another Facebook page (the target of the hack) and swapped the IDs of the parent business and the partner account, ostensibly reversing their roles. By re-sending the request, Arun now had admin-level privileges for the targeted page.
He thus proved that using this technique, attackers could have hijacked any Facebook account and freely performed a variety of damaging actions, including page deletion. This find had Arun being added to Facebook’s ‘Wall of Thanks’. Moreover, he netted himself a cool $16,000 bug bounty for finding a zero-day vulnerability in Facebook Business Manager.
Although we have previously done a very short story on Bug Bounty Hunters, AcadGild recently met up with Arun Sureshkumar for an exclusive interview. We had a wonderful time talking to him about his Facebook bug hunt and his take on cyber security.
AcadGild (AG): What was your first experience in bug spotting? What did you learn from that experience?
Arun Sureshkumar(AS): It’s was in 2013, an IDOR Vulnerability which gives other roles of the page to delete and unpublished Facebook Pages. Since then, I have started my journey and have successfully found different logical and privacy security issue. Recently I reported another high impact issue “Facebook Page Takeover”, which was the top bug I spotted in my good 3 years (2013 to 2016) with Facebook.
AG: What made you suspicious of the Full Account Takeover bug in Facebook?
AS: I heard about a similar bug that was reported to Facebook by Anand Prakash, which leads me to find out the brute force attack in Facebook subdomain (http://lookaside.facebook.com.) I believe that Facebook bugs have a greater societal impact. One can say for sure that Facebook helps the world connect on a different level altogether. These business pages open business opportunities by connecting with the people at a much more personal level. Hence, it is important to keep such connections pristine and error free.
AG: When needling out the bug, who were your partners that helped you in your quest?
AS: Remya and Saheer, my teachers were a great source of support. Let me also mention my friends, Sahad, Vijith, Jawad and Faisal who were with me throughout the way.
AG: Describe your experience with Facebook. How many such giants have you helped by pointing out their bugs?
AS: Facebook keeps a good relationship between the security researchers and they are very happy to honor and reward us for our findings. Recently (August 2016) I visited their security team in USA. I had a wonderful time meeting up with Neal Poole and Reginaldo Silva, the Facebook security engineers in the USA. They were a great inspiration for me. I was happy to note that they were urging us to push our limitations and set new goals.
Other companies that I have helped in a similar manner is Google and AT&T.
AG: What is your take on the Security issues around the world?
AS: No application is error free; developers must concentrate on the security of the apps they develop. I suggest developing apps using their own framework which can reduce a massive cyber-attack. If using frameworks (already coded by others), a massive attack should be expected if one of the websites is affected by that particular issue.
AG: What advice do you have for the budding bug hunters out there?
AS: Observe the Proof of Concept of the reported bugs. Keep oneself abreast of the latest technology. Improve your coding skills and problem-solving skill as these helps to determine the algorithm used by the developers to develop something. Further, it helps in spotting the bugs in the particular function.
AG: What is your future plan?
AS: I intend to work with technology for the betterment of the nation. I am also planning to start a company in Kerala.
Well Arun, I hope you fulfill your dreams and inspire the young techies out there! Like he rightly said, the world is getting connected at an incredible pace and this calls for stringent security measures. And you can now learn about all this and more by enrolling in the CEH course (Certified Ethical Hacking) from AcadGild.