Security researcher Philippe Harewood recently disclosed a security flaw in Facebook business accounts that made it possible for anyone with a Facebook profile to take over a business account, Sophos reported.
Facebook’s business accounts are intended to allow entities such as businesses, charities, and publications manage their presence on the social network.
Administrators of such accounts can handle advertising, message followers, post updates on Facebook pages, and add and remove others as managers for the business account.
Harewood discovered a way to add administrators to a business account with a call to the Facebook API.
“The call at the time didn’t seem to have any permissions set to it. This meant it was possible to add oneself as an admin to any business,” Harewood said.
He said that he reported the issue to Facebook on 9 October. By 10 October, the API endpoint was removed, and on 15 October the vulnerability was patched.
Facebook then awarded him $27,500 for reporting the bug, Harewood said.