In December 2024, a severe security vulnerability was discovered in Meta Business Suite that exposed Facebook pages to unauthorized access. This flaw allowed attackers to bypass critical verification processes, including Two-Factor Authentication (2FA), and gain control over Facebook pages managed through Business Manager.
In this article, I’ll explain the vulnerability, its risks, and how it was resolved after responsible disclosure.
What Was the Vulnerability?
The vulnerability I discovered allowed attackers to manipulate URLs and bypass critical security measures, enabling them to:
- Remove Facebook Pages from Business Manager: Attackers could remove a page from its original Business Manager without verifying the associated email address.
- Take Full Control: Pages could then be added to a new Business Manager controlled by the attacker.
- Bypass Two-Factor Authentication: Even with 2FA enabled, the attacker could bypass it entirely.
- Lock Out Original Owners: Once transferred, attackers could enable their own 2FA, preventing rightful owners from regaining access.
Risks to Businesses
This vulnerability posed significant risks to businesses, including:
- Loss of Control: Businesses could lose access to their Facebook pages, locking out authorized administrators.
- Data Breaches: Attackers could access sensitive information, such as ad campaigns, billing details, and customer data.
- Reputational Damage: Hijacked pages could post inappropriate content, damaging brand reputation and customer trust.
- Financial Loss: Attackers could misuse advertising budgets or disrupt campaigns.
How the Exploit Worked
The exploit involved manipulating URLs to bypass verification steps in Meta Business Suite. Here’s how the attacker could perform the exploit:
- Accessing Business Suite: The attacker would attempt to access the Meta Business Suite for a Facebook page. Normally, this would prompt for an email verification step to ensure secure access.
- Copying the Business ID: The attacker would copy the
from the URL shown during the verification prompt.business_id - Manipulating the URL: The attacker would craft a new URL using the copied
The attacker would replacehttps://business.facebook.com/confirm_business/?business_id=[BUSINESS_ID][BUSINESS_ID]with the copied ID. - Bypassing the Verification: By accessing this manipulated URL, the attacker could bypass the verification step entirely.
- Removing the Page: The attacker could now remove the Facebook page from its original Business Manager without the need for any email confirmation or 2FA.
- Adding the Page to a New Business Manager: The attacker would add the Facebook page to a new Business Manager that they controlled.
- Enabling Their Own 2FA: The attacker would enable Two-Factor Authentication (2FA) on the new Business Manager, locking out the original owner and securing full control of the page.
Resolution and Fix
After discovering the vulnerability, I reported it through Meta’s Bug Bounty Program, providing detailed reproduction steps and a proof-of-concept video. Meta acknowledged the issue and implemented a fix to secure the system.
Conclusion
The resolution of this vulnerability demonstrates the value of responsible disclosure and proactive security measures. Businesses should stay vigilant, adopt the latest security features, and ensure their digital assets remain secure from emerging threats.
