Today I will be telling you how I was able to send messages as a page being a page analyst/ advertiser.
According to this article from Facebook https://www.facebook.com/help/pageroles Analysts and Advertisers cannot send messages as page.
Here is how I managed to bypass it :
Setup : 3 Facebook accounts, Where User A should be the admin, User B is the attacker account here and User C is any random Facebook account.
- Make User B an editor.
- User B must be using Facebook lite.
- Send the page a message from User C's account.
- User B in Facebook lite app will get a notification saying user C messaged to the page.
- User B will open the message.
- User A will now change user B's page role to Analyst.
- While User B is still in the inbox with user C, he/she will be able to send messages as page despite being page analyst or advertiser.
Here is a video POC :https://drive.google.com/file/d/1-tcGdGtDPUTBtLn57iAKeFer_wGuBhzB/view?usp=drivesdk
As unfortunate as it could be for me, it got an internal fix.
Thank you for making it to the end of the article. Here is a Facebook bug bounty tip : While being in the session when you had privileges try changing your privilege and see if you can still perform certain tasks while still in that session.
Find me on Twitter : https://www.twitter.com/ibaibhavjha
Find me on Facebook : https://www.facebook.com/ibaibhav