ByPassing fix of Domain Blocking feature in Business Manager

Rohit kumar
Aug 15, 2019 · 1 min read
Image for post
Image for post

A few months back I reported this vulnerability Demoted business admin could apply blocklist to all ad accounts and FB rewarded me 500$ for this Vulnerability. After a little bit of more testing, I noticed I can still apply blocklist with low privileges to all Ad accounts in Business Manager.

PoC Video


This could allow a demoted business admin to apply blocklist to all ad accounts

Repro steps

You need 2 Admin (Admin A, Admin B) accounts in a business manager.

1. From Admin B account upload new Blocklists and apply it to all ad accounts.
2. From Admin A account change permission of “Admin B” to the employee.
3. Now, from Admin B account (Which is not an employee) visit blocklist page and you will notice you can upload block list but you can’t apply it on all ad accounts.
4. For uploading new blocklists to all ad accounts, simply replace previous blocklists which were uploaded by you and applied to all ad accounts.
5. New block lists will be updated/applied to all ad accounts.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store