A year later from my previous findings I wished to revisit business manager. A lot of changes have been made. This bug is quite similar to previous Disclose App Admins. “/business/objects/fetch/permissions/users/” endpoint is used to fetch which permissions users have on asset type pages/apps etc. Meantime, call for asset type “Pages” were secured but was […]
Read More →In Facebook Business Manager, there is an endpoint that fetches the admin list particularly for pages, apps and more other assets. Meantime, call for Facebook Pages was secured but was vulnerable for the asset type apps. IDOR (Insecure Direct Object Reference) vulnerability allowed to fetch the admin list for any Facebook Application regardless of having […]
Read More →