ByPassing fix of Domain Blocking feature in Business Manager

Rohit kumar
Aug 15 · 1 min read

A few months back I reported this vulnerability Demoted business admin could apply blocklist to all ad accounts and FB rewarded me 500$ for this Vulnerability. After a little bit of more testing, I noticed I can still apply blocklist with low privileges to all Ad accounts in Business Manager.

PoC Video

Impact

This could allow a demoted business admin to apply blocklist to all ad accounts

Repro steps

You need 2 Admin (Admin A, Admin B) accounts in a business manager.

Steps
===
1. From Admin B account upload new Blocklists and apply it to all ad accounts.
2. From Admin A account change permission of “Admin B” to the employee.
3. Now, from Admin B account (Which is not an employee) visit blocklist page and you will notice you can upload block list but you can’t apply it on all ad accounts.
4. For uploading new blocklists to all ad accounts, simply replace previous blocklists which were uploaded by you and applied to all ad accounts.
5. New block lists will be updated/applied to all ad accounts.

Rohit kumar

Written by

✌ Startup Enthusiast, Business Minded, Bug Hunter, Programmer, Astrophile, Learner and Genius :D 😅

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade