Skip to main content

How I could have crashed the Page Role setting of any Facebook page


Hi,
This is my second blog post regarding one of my findings in Facebook's Business Manager.
Bug: Bug in Business Manager which allows an attacker to completely disable a page admin's access to his page's Page Roles Settings.
This exploit works in the below scenario:
-->Attacker has a Business Manager account
--> Victim does not have any Business Manager Account(ie, victim just has some normal Facebook pages which he owns)
In Business Manager, users can add new apps or request access to an app owned by other business accounts. If you want to request access to an app, you just need to enter the APP ID and click on "Request App" so that the admin can grant you the access after receiving the request.


The request to a new app is created using the below graph api call with a valid access token
POST /v2.10/951117391698528/sent_requests
It looks for mainly two parameters :object_id and brand id
object_id: The id of the app to which you need access
brandId  :Your business id
Here, while looking for logical bugs, I submitted the request by replacing object_id with the victim's page id!
The response from the server was like below.

"A request has been sent asking the people who manage the app to approve your request. We'll let you know if your request is approved."
The developer has assumed that the request will only contain app_id!
After this, I just logged into victim's account(test account) and opened the page role settings.
From victim's account, I saw a notification that the other business account has asked for access to the app. But victim cannot approve /reject as he does not have a business account :P
I opened the page role setting of victim's page.


Victim has lost his complete access to Page Roles. Nothing was showing up in Page Roles
Now, Until the victim rejects/approves attacker's request or attacker cancels the request from his Page menu option, victim won't  have access to his "Page roles" settings!
Impact:
An attacker can misuse this bug and deny the victim from accessing  their Page Roles settings.
Reported to Facebook and got a nice bounty :)


This bug has been completely fixed now and now the mentioned end point returns the below response.




Report timeline

1st June, 2017 - Bug Reported
8th June, 2017 - Vic confirmed the bug and sent to product team.
11th July, 2017 - I observed that issue has been resolved. Asked for update.
15th July, 2017 - Vic updated that they are looking into some deeper root cause for this issue.
12th August, 2017 - Bounty awarded. 750 USD.








Comments

Post a Comment

Popular posts from this blog

How I could have hacked Facebook Analytics to view any Facebook page's Analytics- $7500

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to view the Facebook Analytics of any Facebook page without having any roles on the page. Bug:  Bug in Facebook Analytics which allows an attacker to view analytics of any Facebook page without having any roles on the page. POC Steps The API call to create an event source group is like below. "GET /v2.10/1234/event_source_groups?"  where "1234" is the business account id and it accepts the parameters,  name and  event_sources  . The parameter  event_sources  can contain the id of page,app,pixel or offline event set. After some testing, I found that while adding a page object as an event source, there are no security checks at this end point to check whether authorized user is making the request or not. In addition to this, I found other two end points as well which is vulnerable. 1)While making a POST request to an existing event source group. 2)At the "e
3 comments
Read more

Setting up tests for any App or Pixel using Facebook's Test and Learn feature

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to set up tests for apps/pixels to which he does not have any roles/access. Bug: Bug in Facebook's "Test And Learn" Feature which allows an attacker to set up tests for apps/pixels to which he does not have any roles/access and to view the test results. POC Steps Users can setup tests from the url  https://facebook.com/test-and-learn/?act=12345 where 12345 is ad account id.(Refer https://www.facebook.com/business/help/1575448755848995) The bug was in the 2nd test option "How many conversions are all my Facebook ads causing?" Click on "Set up Test", enter a test name and select any of your apps/pixel as the event source and select the schedule. The API call to setup a test is like below. "POST /v2.10/me/ad_studies?"  There were no security checks at this end point to check whether authorized user is making the request or not. In this reques
4 comments
Read more

How I could have made your products Out of Stock in Facebook Pages!

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to toggle the stock status of products created by admins of a Facebook page. Bug: Toggling the stock status of Products created by any Facebook page without having any  roles on the page POC Steps Page admins can create/manage Facebook products on their page. There are options available for the admins to mark a product as "In Stock" or "Out of Stock" by sending a POST request to the endpoint "/pages/content_tab/products/update_inventory/?" This endpoint accepts the below three main parameters.   av: the page id   product_group_ids[]: An array of product group ids for batch update.   inventory_in_stock : true or false(In Stock or Out of Stock) Security checks were missing at this endpoint which allowed me to change the stock status of any product group id. Now, to exploit this vulnerability, we need the product group id of victim's product. The pro
1 comment
Read more