Sarmad Hassan

Published On: 02 Feb 2021

Create a block list in brand safety on behalf of any other user

Facebook | Web

Facebook have an option called "Brand Safety" for preventing your ads from running alongside certain types of content within Audience Network, Facebook Instant Articles and Facebook in-stream video for more details see link


When you go to brand safety controls and select block list, a graph call being sent to the server as below: POST /v7.0/AD_ACCOUNT_ID/auto_applied_ad_accounts?access_token=xxxx account_id= The vulnerable parameter is "account_id=" where the attacker is able to change the value of that parameter to any user and when he send the request to the server, it will generate a block list on behalf of that user.


It was possible to create a block list in brand safety on behalf of any other user. This would prevent victim to publish ads on specific places set by the attacker.

Reproduction Steps


from attacker account:

1- Go to
2- Select block list ===> Create block list====> type block list name and upload any .txt file ====> then hit upload =====> apply ====> select any of those options ("Don't apply to ad account now" or "Apply to ad account") it doesn't matter ===> Save
3- Go to Control options ====> Select block list ===> check on the block list name that you created ===> Intercept with burpsuite ===> Save

you should see POST request like below:

POST /v7.0/AD_ACCOUNT_ID/auto_applied_ad_accounts?access_token=xxxxxxx HTTP/1.1


change the value of "account_id=" to victim's value ID and forward the request to the server, you will get error response as below :

{"error":{"message":"Unsupported post request.","type":"GraphMethodException","code":100,"fbtrace_id":"AwRwBgKI-PylZaWcUybP0Kr"}}

but it is ok, despite the server gave us an error but it worked

From the victim account:

1- Go to
2- Then go to Block lists options and you will see that the attacker created a block list name on behalf of victim user and the victim is not able to delete the block list only when the attacker delete it.

Show Image

Special thanks

I would like to thanks my friend Abdellah Yaala for his great support.

Sarmad 10 Jan 2021

Initial Report

Facebook 21 Jan 2021

Report Triaged

Facebook 01 Feb 2021

Report Fixed

Sarmad 02 Feb 2021

Fix Confirmed

Facebook 02 Feb 2021

Bounty awarded