Modifying any Ad Space and Placement

In early November, Facebook introduced a new feature in the Audience Network called Ad Spaces.

Description: It is possible to modify any Ad Space and Placement given the victim’s Ad Space and Placement IDs

Impact: A malicious user can modify any info of an Ad Space. A malicious user can also add and modify Placement.

Proof of Concept:
Editing Ad Space:
1. Go to “https://developers.facebook.com/apps/APP_ID/audience-network/adspaces/".
2. Create an Ad Space.
3. Edit that Ad Space.
4. Using a Debugging Tool, capture the POST request in editing the Ad Space.
5. In the POST request change the param “ad_space_id” to any Ad space ID

Adding Placement:
1. Go to “https://developers.facebook.com/apps/APP_ID/audience-network/adspaces/".
2. In your Ad Space, create a Placement.
3. Make sure to capture the POST request using a Debugging Tool.
4. In the POST request change the “ad_space_id” to any Ad Space ID

Editing Placement:
1. Go to “https://developers.facebook.com/apps/APP_ID/audience-network/adspaces/".
2. Select and Edit your Placement.
3. Make sure to capture the POST request using a proxy tool.
4. In the POST request URL change the Placement ID to your Victim’s Placement ID.

Their initial fix was to disallow any user to modify any Ad Spaces, but you could still modify Ad Spaces if you have a Tester or Analytic User role in the App.

Video POC: https://drive.google.com/drive/folders/1lkiHhJUUByXPyBu2uPpCWx3LGl5EZvNx

Timeline:
Nov. 09, 2017 — Initial Report
Nov. 14, 2017 — Report Triaged
Dec. 5, 2017 — Fixed by Facebook
Dec. 5, 2017 —Fix is insufficient
Dec. 15, 2017 — Fixed by Facebook
Dec. 15, 2017 — Fix is insufficient
Dec. 21, 2017 — Bounty awarded
Feb. 19, 2018 — Issue Resolved