Skip to main content

How I could have made your products Out of Stock in Facebook Pages!


Hi,
This post is regarding one of my findings in Facebook which could have allowed anyone to toggle the stock status of products created by admins of a Facebook page.

Bug: Toggling the stock status of Products created by any Facebook page without having any roles on the page

 POC Steps

Page admins can create/manage Facebook products on their page.
There are options available for the admins to mark a product as "In Stock" or "Out of Stock" by sending a POST request to the endpoint "/pages/content_tab/products/update_inventory/?"
This endpoint accepts the below three main parameters.
  av: the page id
  product_group_ids[]: An array of product group ids for batch update.
  inventory_in_stock : true or false(In Stock or Out of Stock)
Security checks were missing at this endpoint which allowed me to change the stock status of any product group id.
Now, to exploit this vulnerability, we need the product group id of victim's product.
The product group id can be obtained from product ids by using a simple graph api get request like below.

GET/v2.12/12345?fields=product_group
where 12345 is the product id.
The response will contain the product_group id

{
"product_group": {
"id": "6789",
"retailer_id": "1140197742pages_commerce_sell5a9c606e8a9649106353911"
},
"id": "12345"
}
Now just, replace the value of product_group_ids[] with victim's product group id in the vulnerable enpoint and also make the value of the parameter "inventory_in_stock" to "false" and submit the request.
The response will be like below.
for (;;);{"__ar":1,"payload":{"6789":0},"bootloadable":{},"ixData":{},"gkxData":{},"lid":"6529208076628827322"}
The response contains victim's product_group id and "0" indicates that the stock status has been changed to "Out of Stock"
In the below image, you can see that the stock status is displayed as "OUT OF STOCK"



Now, If the attacker wants to set the stock status back to "IN STOCK", he can send the request to same vulnerable endpoint by updating the value of the parameter "inventory_in_stock" to "true"
As the "product_group id" is an array, with a single request itself attacker can mark all the products of victim's page as OUT OF STOCK or IN STOCK by just grabbing the product_group ids.

Mitigation and Fix

Reported the bug on 5th March and I got first response on 8th March and also got  the below reply from Security Team member  Lily on 9th march saying "Nice Find" :)


Facebook fixed the issue by placing security checks and not it returns "Content Unavailable" error.
But still, the "product_group field" is public in Graph API and I asked the team about that as I was able to get the product group ids which lead me to this bug. And I got the below reply from Neal.



I got a nice bounty for the same!



I am thankful to the Facebook Security team for understanding the impact of the bug and for the awesome bounty :)
Report timeline

5th March, 2018 - Bug Reported
8th March, 2018 -Initial Response
9th March, 2018 - Report was on triage.
15th  April, 2018 - Bug was fixed.
9th  May, 2018- Bounty awarded. 750 USD.

Comments

Post a Comment

Popular posts from this blog

How I could have hacked Facebook Analytics to view any Facebook page's Analytics- $7500

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to view the Facebook Analytics of any Facebook page without having any roles on the page. Bug:  Bug in Facebook Analytics which allows an attacker to view analytics of any Facebook page without having any roles on the page. POC Steps The API call to create an event source group is like below. "GET /v2.10/1234/event_source_groups?"  where "1234" is the business account id and it accepts the parameters,  name and  event_sources  . The parameter  event_sources  can contain the id of page,app,pixel or offline event set. After some testing, I found that while adding a page object as an event source, there are no security checks at this end point to check whether authorized user is making the request or not. In addition to this, I found other two end points as well which is vulnerable. 1)While making a POST request to an existing event source group. 2)At the "e
3 comments
Read more

Setting up tests for any App or Pixel using Facebook's Test and Learn feature

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to set up tests for apps/pixels to which he does not have any roles/access. Bug: Bug in Facebook's "Test And Learn" Feature which allows an attacker to set up tests for apps/pixels to which he does not have any roles/access and to view the test results. POC Steps Users can setup tests from the url  https://facebook.com/test-and-learn/?act=12345 where 12345 is ad account id.(Refer https://www.facebook.com/business/help/1575448755848995) The bug was in the 2nd test option "How many conversions are all my Facebook ads causing?" Click on "Set up Test", enter a test name and select any of your apps/pixel as the event source and select the schedule. The API call to setup a test is like below. "POST /v2.10/me/ad_studies?"  There were no security checks at this end point to check whether authorized user is making the request or not. In this reques
4 comments
Read more