Kassem Bazzoun

Published On: 23 Sep 2020

Prevent pages from creating “Shop” in commerce manager

IDOR
Facebook | Web
---
MEDIUM VALID
Description

Pages has section called “Shop” where admins can creates their Shop through "commerce manager (https://www.facebook.com/commerce_manager/) . A malicious user is able to prevent the admins of the page from creating their shops in commerce manager by adding the victim page into the attacker commerce account (through a vulnerable GraphQl request). However, if the page has already created a “shop” the attacker can’t perform this attack.

Impact

Using Commerce Manager, a person with no role on a page could prevent that page from creating a shop.




Reproduction Steps

Step
1

Attacker wants to prevent Victim page  from creating shop section (including creating products).

In commerce account and after entering Settings  the owner of the commerce account can find a section called "sales channel" where it will shown the pages listed into his commerce account . 

there was an option to edit the visibility of these channel and it contains 3 option  so I unpublished it then I intercept the request and re-published these channels 

Show Image

Step
2

After intercepting the request  I found this GraphQl


{"input":{"client_mutation_id":"1","actor_id":"100002577308164","add_ids":["ID_VICTIM_PAGE"],"channel":"FACEBOOK","commerce_account_id":"COMMERCE_ID","status":"ENABLED"}}
doc_id = 3214294425281574

lets focus on param add_ads

Step
3

Basically the attacker want's to add the victim page on his commerce account . 

The param add_ids is the param that responsible to take the "Page ID" and publish it to the commerce account (publish it to the sales channel) , and due to misconfiguration in this GraphQl request , this param was accepting any PAGE ID  ,and once I added the Victim page ID  , this page was added succefully to the page although I have no role into that page , so the attacker is able to add any page into his commerce account .

Step
4

I tried to see if I can edit the SHOP section of the VICTIM page , since I succefully added it to my commerce account , but unfortunately I wasn't able to do it . 

so no impact till now and can't report it ! it's true that I've added a page to my commerce account ! but no impact :-) 

Step
5

I decided to see what the admin of the VICTIM PAGE can see after I added his page to my commerce account , and from the victim accoun I entered the creating commerce page and tried to create a shop for this victim page , and FORTUNATELY  , once I reached the final step of creating the shop , and hitting create , a message appeared SOMETHING WENT WRONG .

 

and I was aware that this message appeared because the attacker has already added this page to his commerce account . 

 

Show Image

Step
6

Before reporting the issue I start searching if is there any way for the victim to remove his page from the victim commerce account or at least creating a shop from another place and found that there is no way for the victim for doing it ! 

 

Timeline
.
Kassem 22 Jul 2020

Report Sent

.
Facebook 23 Jul 2020

pre-triaged

.
Facebook 28 Jul 2020

Triaged

.
Facebook 10 Sep 2020

Bounty Awarded You demonstrated that, using Commerce Manager, a person with no role on a page could prevent that page from creating a shop. Please note, we're ... See More

.
Facebook 16 Sep 2020

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

.
Kassem 17 Sep 2020

Confirmation

VALID






Show All Images