Facebook Apps-Roles Vulnerability

I Recently Found Security Vulnerability In Facebook Which Allows The Admin Of Apps To Add Any User’s Into The Roles Without Their Permissions

There Are Several Roles In Facebook Apps [ Admins,Developers,Testers,Insight_Users ] That An Admin Can Add The User’s In It With Their Permissions.Each Roles Has Different Type Of Access Click To View.If Admin Add Any User in Roles It Will Send An Invite To The Victim For Confirmation.

Until Their Confirmation Your Request Will Be in Pending.

But I Noticed That To Add -Testers Doesn’t Requires Any Permission.So I Tried To Manipulate With This End-Point.While I Was Testing Found a Vulnerability With a Simple Trick.Leads To Bypass The Permission

Steps:

First Add The User As Testers(It Will Add Without Any Permission)–>Then Add The Same User In Any Roles.It Will Not Ask Any Permission.It Directy Move The Role’s Even Without User Interaction.

Hope You Understand.For More Watch My Video POC:

Note: Now The Bug Has Been Fixed. Except Testers Other Roles Requires User Permissions

Timeline:

10-August-2015: Report Sent

13-August-2015 : Further investigation by Facebook

26-August-2015 : Fixed by Facebook

4-September-2015 : $500 bounty awarded by Facebook