Skip to main content

Setting up tests for any App or Pixel using Facebook's Test and Learn feature


Hi,
This post is regarding one of my findings in Facebook which could have allowed anyone to set up tests for apps/pixels to which he does not have any roles/access.

Bug: Bug in Facebook's "Test And Learn" Feature which allows an attacker to set up tests for apps/pixels to which he does not have any roles/access and to view the test results.

POC Steps

Users can setup tests from the url  https://facebook.com/test-and-learn/?act=12345 where 12345 is ad account id.(Refer https://www.facebook.com/business/help/1575448755848995)
The bug was in the 2nd test option "How many conversions are all my Facebook ads causing?"
Click on "Set up Test", enter a test name and select any of your apps/pixel as the event source and select the schedule.
The API call to setup a test is like below.
"POST /v2.10/me/ad_studies?" 
There were no security checks at this end point to check whether authorized user is making the request or not.
In this request, change the value of application id/pixel id with the application id/pixel id of the victim.
Submit the request and the test will be created and status will be "planned"
Click on the test created and victim's app or pixel will be listed under measurement sources!
Now, The test will start collecting the results for the mentioned schedule for victim's app/pixel and will display the lift results and incremental efficiency associated with victim's ads.This will show how much money was spent by victim over the period and other details as well.
Just like in the below two sample figures





Mitigation and Fix

I reported this bug to Facebook on 21st January and the report was on triage by 23rd           
By 1st February, Lilly from security team updated that a permanent fix was available.       
When I tried, I got below error as well.

"Application does not have the capability to make this API call" 

As this could have allowed anyone to setup tests for victim's apps/pixels, I got a nice bounty for the same!



I am thankful to the Facebook Security team for the quick fix and for the awesome bounty :)
Report timeline

21st January, 2018 - Bug Reported
23rd January, 2018 - Lilyfrom Facebook Security confirmed the bug and sent to product team.
1st February,2018 - Was Asked for the confirmation of temporary fix and I confirmed the same.
7th February,2018- Bounty awarded. 3000 USD.

Comments

  1. sheela rajesh10 May 2019 at 21:57

    Your blog is more informative and inspirational to others.it gives wish to know more about this.
    JAVA Training in Chennai
    Java training institute in chennai
    Python Training in Chennai
    SEO training in chennai
    Big data training in chennai
    Selenium Training in Chennai
    JAVA Training in Chennai
    Java Training in Tnagar

    ReplyDelete
  2. Bella3 October 2019 at 00:27

    Informative post. Thanks for sharing.

    Stocks4all

    ๐Ÿ“ŒStocks4all.com๐ŸŒ is Coming soon............๐Ÿฅ๐Ÿฅ๐ŸŽŠ๐ŸŽ‰
    Follow this page to get noticed when we launch the website Few days to Go......
    Like๐Ÿ‘ & share๐Ÿ‘ฅ this page to get the best information on stocks...✍️๐Ÿ’ฏ

    ReplyDelete
  3. Blogger25 February 2020 at 04:53

    Water Hack Burns 2 lb of Fat OVERNIGHT

    Well over 160 thousand men and women are using a easy and SECRET "liquids hack" to drop 2 lbs every night as they sleep.

    It is painless and works every time.

    This is how to do it yourself:

    1) Take a clear glass and fill it up half glass

    2) Now do this strange hack

    you'll be 2 lbs lighter the very next day!

    ReplyDelete
  4. Pranav Baruwala24 April 2020 at 05:58

    Thank you for sharing valuable blog. you are doing good job.

    what is roi & kpi

    what is facebook pixel & how to create facebook pixel

    ReplyDelete

Post a Comment

Popular posts from this blog

How I could have made your products Out of Stock in Facebook Pages!

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to toggle the stock status of products created by admins of a Facebook page. Bug: Toggling the stock status of Products created by any Facebook page without having any  roles on the page POC Steps Page admins can create/manage Facebook products on their page. There are options available for the admins to mark a product as "In Stock" or "Out of Stock" by sending a POST request to the endpoint "/pages/content_tab/products/update_inventory/?" This endpoint accepts the below three main parameters.   av: the page id   product_group_ids[]: An array of product group ids for batch update.   inventory_in_stock : true or false(In Stock or Out of Stock) Security checks were missing at this endpoint which allowed me to change the stock status of any product group id. Now, to exploit this vulnerability, we need the product group id of victim's product. The pro...
1 comment
Read more

Leaking of page store details via downloaded location data from Business Locations

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to  access details of a page's stores by exporting a CSV. Bug: Leaking of page store details via downloaded location data from Business Locations POC Steps Page Admins can download locations data from Business Locations using the link "https://business.facebook.com/ajax/editpagesx/export_children.php?id=12345&intern_tool=false" where 12345 is the page id. This will allow them to download and view the location pages and their data connected to the main page. Security checks were missing at this ajax endpoint which allowed me to download the locations data for any Facebook page by replacing the value of "id" parameter with victim's page id. There were some sensitive data like Franchise, Store Number, Store Visits Measurement,Network Access Type, Location Descriptor etc  in the downloaded excel file which should be accessible only to the page admins. These de...
1 comment
Read more