Facebook Apps-Roles Vulnerability
I Recently Found Security Vulnerability In Facebook Which Allows The Admin Of Apps To Add Any User’s Into The Roles Without Their Permissions
There Are Several Roles In Facebook Apps [ Admins,Developers,Testers,Insight_Users ] That An Admin Can Add The User’s In It With Their Permissions.Each Roles Has Different Type Of Access Click To View.If Admin Add Any User in Roles It Will Send An Invite To The Victim For Confirmation.
Until Their Confirmation Your Request Will Be in Pending.
But I Noticed That To Add -Testers Doesn’t Requires Any Permission.So I Tried To Manipulate With This End-Point.While I Was Testing Found a Vulnerability With a Simple Trick.Leads To Bypass The Permission
Steps:
First Add The User As Testers(It Will Add Without Any Permission)–>Then Add The Same User In Any Roles.It Will Not Ask Any Permission.It Directy Move The Role’s Even Without User Interaction.
Hope You Understand.For More Watch My Video POC:
Note: Now The Bug Has Been Fixed. Except Testers Other Roles Requires User Permissions
Timeline:
10-August-2015: Report Sent
13-August-2015 : Further investigation by Facebook
26-August-2015 : Fixed by Facebook
4-September-2015 : $500 bounty awarded by Facebook