Hi, This is my second blog post regarding one of my findings in Facebook's Business Manager. Bug: Bug in Business Manager which allows an attacker to completely disable a page admin's access to his page's Page Roles Settings. This exploit works in the below scenario: -->Attacker has a Business Manager account --> Victim does not have any Business Manager Account(ie, victim just has some normal Facebook pages which he owns) In Business Manager, users can add new apps or request access to an app owned by other business accounts. If you want to request access to an app, you just need to enter the APP ID and click on "Request App" so that the admin can grant you the access after receiving the request. The request to a new app is created using the below graph api call with a valid access token POST /v2.10/951117391698528/sent_requests It looks for mainly two parameters :object_id and brand id object_id: The id of the app to which you n
I am Neeraj Gopal. I'm a Security Analyst at Facebook. I'm interested in web application security. I like finding loopholes in Web applications and participating in various bug bounty programs. My posts are my own and do not necessarily reflect the views and opinions of my employer.