How I was able to generate Access Tokens for any Facebook user.

Samm0uda
Samm0uda
Dec 10, 2018 · 2 min read

This bug could allowed a malicious user to generate access tokens for any Facebook user.
I found this bug by mistake when I was testing some Facebook endpoints used in the Rights Manger dashboard which is a dashboard targeting videos’ publishers and editors.

The vulnerable endpoint returns a page access_token when making a POST request to it along with the parameter page_id.
The issue here is that the endpoint doesn’t check if the provided value for the page_id is actually an id of a “page” and not another object like “user”. This allowed me to make the request and change the page_id value to any Facebook user id and as a response to this request I get the access token of that user.

Image for post
Image for post

Impact
Due to the state of the Access Token (The scopes of the generated access_token are for pages and not users), I wasn’t able to read and modify some data about the user (like see messages) and I wasn’t able to full takeover the account. Nevertheless, I was able to read all private information like emails , credit cards, phones number , managed pages and their access_tokens , managed business/ad-accounts and private posts,photos and videos ….

Fix
The Facebook security team fixed this issue by modifying their APIs to refuse those kind of tokens which are generated this way (user object instead of a page). Also after almost six months, they made a second fix by modifying this endpoint and some others to not generate these types of tokens in the first place by checking if the id provided doesn’t match a user object.

Feb 3, 2018 — Report Sent
Feb 6, 2018 — Further investigation by Facebook
Feb 6, 2018 – Clarification requested by Facebook
Feb 6, 2018 — Clarification sent
Feb 8, 2018 — Fixed by Facebook
Feb 23, 2018 — Bounty Awarded by Facebook

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Samm0uda

Written by

Samm0uda

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Samm0uda

Written by

Samm0uda

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store