Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts.

Again this will be a copy/paste of my whole report nothing fancy gifs and memes in this report 😐

Image for post
Image for post

Title

Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts.

Vuln Type

Privacy / Authorization

Product Area

Facebook — Web

Description/Impact

Description
===
Hi Facebook Team,

According to Facebook whitehat, test account is having some limitations like

1. Can interact with other test accounts, but not with real accounts
2. Are exempt from Facebook spam or fake account detection systems
3. Cannot like Facebook pages or post to a page’s Wall
4. Cannot be converted to a real user account

but, I noticed that a malicious admin can perform a lot of actions in a real business manager account and those all action will be not visible to other admins/managers which leads to different kind risk.

I was able to perform and test this vulnerability on different features like

1. Add hidden pages
2. Hidden Ad account managers
3. Hidden pages in partners business
4. Can add a hidden system user

A hidden business manager admin (Which is whitehat test account) can work on above all mentioned features and those all works will be completely hidden by other real admins.

I will reply this same thread if I will be able to perform any more task.

Impact
===
Malicious admins can add pages, give ad accounts access permission to other malicious persons, can add new partners business (with hidden pages inside those businesses) etc..

Repro steps

Setup
===
1 Whitehat test account
1 Real user account
1 Business account created by real user account

Steps
===
1. From real user account send an invite to email someone@email.com
2. Now, click on Resend email button and copy the signup link.
3. Now, from whitehat test account visit that link and join that business
4. Now, add any page from whitehat test account (which was created by you) that page is not visible to other admins.
5. Now, open ad account list and assign yourself in that an account. Other admins can’t see you are managing that ad account.
6. Add system user from a whitehat test account, other admins can’t see that system user.
7. Create another business with few pages linked from a whitehat test account.
8. Add that business to a real business account as a partner, other admins will be not able to see a list of linked pages in that business.

Image for post
Image for post

21 Jun

Hi Rohit,

Thank you for your submission.

We’ve managed to reproduce your report and will get back to you once we have had a chance to investigate.

Thanks,

Logan
Security

Image for post
Image for post

Your Reply

14 Jul

Hi Logan,

Any updates on this report?

Thanks,
Rohit Kumar

Image for post
Image for post

Your Reply

25 Aug

Hi Logan!

Can I get any update on this report, please?

Image for post
Image for post

30 Aug

Hi Rohit,

Sorry for the delay. Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you updated on our progress.

Regards,

Joel
Security

Image for post
Image for post

2 Oct

Hi Rohit,

We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not resolve this issue. We will follow up regarding any bounty decisions soon.

Thanks,

Joel
Security

Image for post
Image for post

Your Reply

3 Oct

Hi Joel,

Yes, I believe this vulnerability has been patched!

Thanks,
Rohit Kumar

Image for post
Image for post

Yesterday

After reviewing this issue, we have decided to award you a bounty of $XXX. Below is an explanation of the bounty amount. Facebook fulfills its bounty awards through Bugcrowd.

Whitehat test accounts can be invited to a regular Business Manager.

Thank you again for your report. We look forward to receiving more reports from you in the future!

Having any questions? Let me know at my twitter handle @rohitcoder

Written by

✌ Startup Enthusiast, Business Minded, Bug Hunter, Programmer, Astrophile, Learner and Genius :D 😅

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store