class="post-template-default single single-post postid-182 single-format-image custom-background wp-custom-logo right-sidebar hide-slider classic-logo-position "

Facebook Business Takeover-Facebook Reward $27,500 Bounty

Facebook Reward $27,500 Bounty
Facebook Business Takeover
Facebook Reward $27,500 Bounty

There is a call to import admins to a business account. The call at the time didn’t seem to have any permissions set to it. This meant it was possible to add oneself as an admin to any business.

Proof of Concept

HTTP POST
/business/aymc_assets/admins/import/
Host: facebook.com

business_id=TARGET_BUSINESS_ID
admin_id=MALICIOUS_USER_ID
session_id=SESSION_ID

This will add the user to the business as an administrator.

Impact

This could have let an attacker without an existing role, take over any business account and gain access to various business assets (Facebook pages, Ad accounts, applications, Instagram accounts) connected to the business.



Timeline

  • Oct 9, 2018 – Report Sent
  • Oct 9, 2018 – Further investigation by Facebook
  • Oct 10, 2018 – Endpoint removed
  • Oct 15, 2018 – Confirmation of audit by Facebook
  • Oct 15, 2018 – Fixed by Facebook
  • Oct 17, 2018 – $27,500 bounty awarded by Facebook

Stored Xss Bypass Technic-Story Of a Stored XSS Bypass

Follow My Twitter Get New Post Notification.

Follow Twitter:- Follow Now ||

Follow My Twitter Get New Post Notification.

Follow Twitter:- Follow Now || Click Here

Like  My Facebook Page Get New Post Notification.

Like Page:- Like Now || Click Here

Writeup Submit: Prial Islam Khan

Blog Author: Md Hridoy

Copyright By © Bug Bounty TuT

BugBountyTut

loading…



Leave a Reply

Your email address will not be published. Required fields are marked *