Missing Authorization Check in Pages Manager
[ads]
Missing Authorization Check in Pages Manager – Bug Bounty POC
Hello Bug Bounty POC Viewers Hope you are all in good health. It’s My First Writeup on Bug Bounty PoC so first let me introduce my self to you guys. I am Arbaz Hussain From Hyderabad,India and today i will be sharing one of my recent finding in Facebook. So lets come to the issue, Basically it was an Missing Authorization Check in Facebook Pages Manager. I was scrolling down facebook as everyone do, There was a post that how we can link our pages or account with twitter. Many of our researchers are always testing the endpoints of pages roles and Permissions to do privileage escalation and i am pretty sure all end points are quite secure. So it was an whole different thing outside settings. To link our page we have to go to :
www.facebook.com/twitter
So no rocket science in it, I logged in from my main admin of page and linked my page to twitter. After that i made my second account an ‘ANALYST’ of that page. As you all know an ANALYST is an role with the least permissions. But the thing we have to focus is, He cannot open or change settings. So as i previously mentioned it was an missing authorization check. I simply opened my second account in which i had the ‘ANALYST’ role and navigated to www.facebook.com/twitter when we open this link all our pages and accounts are shown. So i was shocked that there was an option to unlink my page from twitter. Yup i unlinked the page from twitter with ‘ANALYST’ role.
Missing Authorization Check in Pages Manager PoC Steps :
1) Create an page and link the page with twitter.
2) Make your second account an ANALYST of that page.
3) An Analyst is not allowed to make changes in the page.
4) Now login to you second account (ANALYST ACCOUNT) and navigate to
www.facebook.com/twitter
5) You will see an unlink option click the unlink and the page will be unlinked from twitter.
I Could have given you the video PoC instead of the whole write up thing but i believe an write up is an Strong thing for an researcher which allows him to express his finding and feelings through the whole finding. I Hope you all liked this. And Thanks Behroz and his staff for setting up a Great blog 🙂 .For the ease of researchers i have also provided the Video PoC below.
Any Questions? Catch me Up on Facebook 🙂
Business Logic Flaw in Facebook
Missing Authorization Check in Pages Manager – Reply of Facebook :
Missing Authorization Check in Pages Manager – Video POC :
Good research.
Bhut hi bdiya – Stay ahead Stay Blessed
Nice one arbaaz ..keep up the good work!
good research arbaz hussain
Howdy! Someone in my Myspace group shared this site with us so I came to check it out.
I’m definitely loving the information. I’m bookmarking and will be tweeting
this to my followers! Great blog and terrific design.
mcatYU Muchos Gracias for your blog article. Want more.