Missing Authorization check in Facebook Pages Manager


Severity: Medium

Complexity: Easy

Weakness: Authorization/Permission Model


Discovery:

Basically it was an Missing Authorization Check in Facebook Page Manager while disconnecting facebook page with twitter handle.

I Used to see lot of post’s,who retweet or tweet anything on Twitter is get’s posted on Facebook .

Example : Tweet from Twitter
  • So i decided to test facebook authorization with twitter to find any Bug’s!
  • To link our page we have to go to :
www.facebook.com/twitter
  • I have created a demo page on facebook and As a ADMIN of page i had linked facebook page with twitter.
  • After that i made my second account as ‘ANALYST’ on that page. As you all know an ANALYST is an role with the least permissions. He shouldn’t have any privilege to open or change settings.
  • So as i previously mentioned it was an missing authorization check. I simply opened my second account in which i had the ‘ANALYST’ role and navigated to www.facebook.com/twitter when we open this link all our pages and accounts linked to twitter handle are shown, Also there was an option to unlink page from twitter. Yup i unlinked the page from twitter with ‘ANALYST’ role.

Reproduce:

1) Create an page and link the page with twitter handle.

2) Make your second account an ANALYST of that page.

3) An Analyst is not allowed to make any changes in the page.

4) Now login to you second account (ANALYST ACCOUNT) and navigate to
www.facebook.com/twitter

5) You will see an unlink option click the unlink and the page will be unlinked from twitter.


VIDEO POC:


  • Bug Discovered on March 20, 2017
  • Fixed on 19 April