Disclosure of Pending Roles for any Facebook Page

Avinash Kumar
Mar 16, 2019 · 2 min read

In this blog post i’ll explain a vulnerability named Insecure Direct Object Reference i found recently in Facebook which let me allowed to disclose pending roles for any Facebook Page.

Facebook Page’s Pending Roles:- User got invitation for a role on page but user doesn’t accepted it yet,invitation is still on pending status.

Description:-Recently Facebook launched a platform named Creators Studio,In which you can find a lot of tools which empowers you to post,monetise,manage,measure your page’s contents effectively.

So i started capturing every HTTP requests/responses inside this new platform.After sometime a GET request fascinated me:

https://business.facebook.com/media/manager/page_admin_roles/?page_id=123450000&page_name=Your_page_name&fb_dtsg_ag=token&__user=100001234567&__a=1&__dyn=abcd1234xyz&__req=z&__be=1&__pc=PHASED%3ADEFAULT&dpr=1&__rev=4662096&jazoest=28106&__spin_r=4662096&__spin_b=trunk&__spin_t=1546532826 HTTP/1.1

You can reproduce the above request by clicking on Manage Page Roles button inside the Preferences tab.Anyone can clearly observe presence of parameter that we can control i.e page_id.So with help of Burp Suite’s repeater changing the value of parameter page_id with victim’s page_id and then after investigating the HTTP response you will be able to see the name and user id of invited user for a role in victim’s page(even you have no role on that page).

Impact: Any Attacker can be able to identify people invited to have a role on a particular facebook page(including celebrity’s pages).

Proof of Concept:

Responsible Disclosure Timeline:
3 Jan 2019: Report Sent
7 Jan 2019: Facebook Security Team asked for more clearer steps, Steps sent.
10 Jan 2019: Report Triaged
14 Jan 2019: Bug Fixed
6 Feb 2019: $4000 Bounty Rewarded

Thanks

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store