Description: A malicious user can create test conversion using any app which could reveal the sales and conversions of an active campaign.
Impact: Before they redesigned this feature a user could choose which type of event should the test count as a conversion. Some of these events type includes purchase, add to wishlist, initial checkout, spend credit, etc…
1. Go to facebook.com/test-and-learn/?act=AD_ACCOUNT_ID
2. Set Up Test
3. Fill in the necessary information.
4. Intercept the request before creating a test.
5. In the /ad-studies request, change the APP ID to your victim’s app id.
6. Test Conversion is created.
Feb. 10, 2018 — Issue Reported
Feb. 16, 2018 — Report Triaged
Mar. 22, 2018 — Issue Fixed
Mar. 26, 2018 — Bounty Awarded $3,000