Facebook Apps-Roles Vulnerability

I Recently Found Security Vulnerability In Facebook Which Allows The Admin Of Apps To Add Any User’s Into The Roles Without Their Permissions

Image for post
Image for post

There Are Several Roles In Facebook Apps [ Admins,Developers,Testers,Insight_Users ] That An Admin Can Add The User’s In It With Their Permissions.Each Roles Has Different Type Of Access Click To View.If Admin Add Any User in Roles It Will Send An Invite To The Victim For Confirmation.

Image for post
Image for post

Until Their Confirmation Your Request Will Be in Pending.

Image for post
Image for post

But I Noticed That To Add -Testers Doesn’t Requires Any Permission.So I Tried To Manipulate With This End-Point.While I Was Testing Found a Vulnerability With a Simple Trick.Leads To Bypass The Permission

Steps:

First Add The User As Testers(It Will Add Without Any Permission)–>Then Add The Same User In Any Roles.It Will Not Ask Any Permission.It Directy Move The Role’s Even Without User Interaction.

Hope You Understand.For More Watch My Video POC:

Note: Now The Bug Has Been Fixed. Except Testers Other Roles Requires User Permissions

10-August-2015: Report Sent

13-August-2015 : Further investigation by Facebook

26-August-2015 : Fixed by Facebook

4-September-2015 : $500 bounty awarded by Facebook

Web Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store