Facebook Vulnerability: Hiding from the view of Business Admin in the Business Manager


Hello Readers! My name is Ritish. I am 17 years old & I am currently pursuing B.Tech in Computer Science Engineering from Teegala Krishna Reddy Engineering College,Hyderabad,India.

Earlier this year, having managed facebook pages from 0 likes upto a million likes, I was bored with my daily routine. I tried to do something different in my life. And this is how I landed in Facebook Bug Bounty Program.

It was a Tough beginning, but as the time went on, I started understanding the areas where I need to concentrate. And today, after my 25 failed submissions (14 Informative, 11 Not-Applicable), I have finally received my first bounty from facebook.


Timeline:

Sept. 21: Report Sent

Sept. 25: Reproduced by Facebook

Sept. 25: Triaged

Nov. 07: Fixed

Nov. 07: I confirmed the fix

Nov. 14: Bounty of $500 awarded


Description:

Suppose Mr.A is an admin of a facebook page & Mr.E is an editor of that particular page. If Mr.E blocks Mr.A on Facebook , then Mr.E doesn’t show up in "PAGE ROLES" section of that page when viewed from Mr.A’s "Business Manager". That means Admin cannot remove that Editor from page while on "Business Manager" because he cannot see editor’s facebook account in Page Roles section.

Impact:

An editor can block the admin on facebook and can get access to editor’s tools on that page as an "hidden editor" without the possibility of getting removed while the admin is on Business Manager.

Reproduction Steps:

1) User "A" creates a page and Adds that page in his Business Manager account

2) User "A" adds User "B" as an editor on his page

3) User "B" blocks User "A" totally on facebook

4) User "A" goes to business.facebook.com

5) On Top Right corner he clicks on "Business Settings"

6) On left sidebar we can see "Pages" option

7) Click on "Pages"

8) Now we can see "Assigned people & Partners"

9) Search for the name of User "B" in that list

10) We cannot find his name there!!


I would like to thank all my fellow researchers in the Facebook Bug Bounty Community for helping me out extensively whenever I had any doubts.

I would also like to thank the facebook security team for giving me an opportunity to participate in the Bug Bounty Program & protecting billions of users from security attacks.

Thanks again!

Have a great day ahead ☺