Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to toggle the stock status of products created by admins of a Facebook page. Bug: Toggling the stock status of Products created by any Facebook page without having any roles on the page POC Steps Page admins can create/manage Facebook products on their page. There are options available for the admins to mark a product as "In Stock" or "Out of Stock" by sending a POST request to the endpoint "/pages/content_tab/products/update_inventory/?" This endpoint accepts the below three main parameters. av: the page id product_group_ids[]: An array of product group ids for batch update. inventory_in_stock : true or false(In Stock or Out of Stock) Security checks were missing at this endpoint which allowed me to change the stock status of any product group id. Now, to exploit this vulnerability, we need the product group id of victim's product. The pro
I am Neeraj Gopal. I'm a Security Analyst at Facebook. I'm interested in web application security. I like finding loopholes in Web applications and participating in various bug bounty programs. My posts are my own and do not necessarily reflect the views and opinions of my employer.