Facebook Bug Bounty! {Permission Bug}

Hi guys! My name is Ali Tütüncü and I am a security researcher. When I started to bug bounty, I said “I will find a vulnerability on Facebook. This is my goal.”. And I found a vulnerability on 12 Aug 2018.

This is my first write up.

12 Aug 2018

I was searching vulns on facebook 4 days ago. Then, I was bored and started watch “proof of concept videos”. I watched a video and It gave me an idea.

When I went to App’s roles, I saw this permissions:

Tester can’t access app’s insights. Really?

I tried this steps:

  1. Go to http://developers.facebook.com/apps and create a app.
  2. Go to https://developers.facebook.com/apps/{App Id}/roles/roles/
  3. Add a tester.
  4. Login with your tester account.
  5. Go to https://www.facebook.com/insights. But I saw nothing. What the?

After a thought, i went to https://facebook.com/analytics/{App Id} and YES! I saw all anaytcis and and I could have edited them.

PoC Video:

Timeline:
Aug. 12, 2018 - Report Triaged
Aug. 15, 2018 - Report Triaged
Aug. 28, 2018 - Issue Fixed
Sept. 05, 2018 - Bounty of $750 Awarded

Follow me on Twitter: https://twitter.com/alicanact60