Published On: 26 Oct 2019
Sign up for Brand Collabs Manager on behalf of page admins - Privilege escalation
IDOR
Facebook | Web
---
LOW VALIDBrand Collabs Manager is a marketplace that helps brands and creators find, learn more about and connect with each other. you can find it in Facebook page settings, Generally "only page admins" can apply (Sign up) for Collabs manager as "creator" or "advertiser" for more details see this link https://www.facebook.com/business/help/1898176230203655?id=1912903575666924.
Description
Other page roles like "Advertiser, Moderator, editor and Job Manager" can't apply (Sign up) for Collabs manager from Facebook web interface, but this is can be bypassed using an "IDOR" bug in the request that handle the "sign up" option in the "page_ids" parameter.
Impact
This bug allow other page roles (non admin roles) sign up for Brand Collabs Manager on behalf of the page admins.
Reproduction Steps
Step
1
1- From the attacker account go to https://www.facebook.com/collabsmanager/signup/brand/.
Step
2
2- Select one of the page that you're admin on it ===> type your email => check on I accept the Terms of Service ===> Intercept with Burpsuite===>Submit.
Step
3
3- you will see a POST request like below:
POST /api/graphql/ HTTP/1.1
Host: www.facebook.com
av=100015771374000&__user=100015771374000&__a=1&.........blablabla&variables={"data":{"client_mutation_id":"xxx-xxx-xxx-xxx-xxx","email":"[email protected]","entry_source":null,"page_ids":["149646615725890"]}}&doc_id=2604093872934600.
the vulnerable part is :
page_ids":["149646615725890"]}}
Step
4
4- Attacker will change the "page_ids" value to the page_id which have "Advertiser, Moderator, editor or Job Manager" role on it ===> forward the request to the server.
Step
5
5- from the victim account ( admin of the page) go to https://www.facebook.com/collabsmanager/signup/brand/, under "Currently being reviewed for eligibility
" you will notice that the page has been added by the (non admins role) without admin interaction.
Videos