Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to set up tests for apps/pixels to which he does not have any roles/access. Bug: Bug in Facebook's "Test And Learn" Feature which allows an attacker to set up tests for apps/pixels to which he does not have any roles/access and to view the test results. POC Steps Users can setup tests from the url https://facebook.com/test-and-learn/?act=12345 where 12345 is ad account id.(Refer https://www.facebook.com/business/help/1575448755848995) The bug was in the 2nd test option "How many conversions are all my Facebook ads causing?" Click on "Set up Test", enter a test name and select any of your apps/pixel as the event source and select the schedule. The API call to setup a test is like below. "POST /v2.10/me/ad_studies?" There were no security checks at this end point to check whether authorized user is making the request or not. In this reques
I am Neeraj Gopal. I'm a Security Analyst at Facebook. I'm interested in web application security. I like finding loopholes in Web applications and participating in various bug bounty programs. My posts are my own and do not necessarily reflect the views and opinions of my employer.