Report Facebook reauthentication bypass bug bounty:
Last month I reported a Privacy / Authentication issue to Facebook concerning a method that allows to bypass the reauthentication when you want to add an user to manage Facebook page.
Here it is their reply:
Thank you for your concern. We are moving away from requiring reauthentication for sensitive actions, since it can cause unnecessary friction for important processes, especially on mobile devices. Instead, we provide robust disavow flows so that, if someone gains access to another person’s Facebook account, the original account owner can regain control.
After this reply, I was expecting that Facebook would remove this useless reauthentication security feature once that it could be bypassed easily. But no, as of today this feature is still active.
Proof of concept:
- Go to “https://www.facebook.com/PAGEID/settings/?tab=admin_roles“.
- As you try to add a new user to a page you will get a pop-up saying: “- For your security, you must re-enter your password to continue”.
- Lastly, if you visit “https://m.facebook.com/pages/edit/admins/PAgeID” you can add any user without the password. You only need change to Facebook mobile version to bypass this security feature.
The attacker gets access to victim personal computer and he will be able to add new administrators to Facebook page bypassing the reauthentication. After he adds his account to page administration he could start deleting the other users from page administration and control the page posts.
In my opinion, Facebook should remove this security feature in the main domain as well or add it to the mobile version. This security feature becomes completely useless if you change to the mobile subdomain.