Published On: 27 Dec 2022
Bypassing business quarantine (Integrity Safeguards)
Other
Facebook | Web
---
MEDIUM VALIDFacebook's Bug Bounty program has recently announced an update that includes a new category for vulnerabilities that pertain to integrity safeguards. - https://www.facebook.com/whitehat/bugbounty-education/3134775430128098
Description
During my testing, I discovered that it was possible to bypass two restrictions that are put in place when a business is placed in quarantine due to unusual behavior. These restrictions are meant to protect the platform's integrity and security.
Impact
It is essential to ensure that these quarantine measures are effective in protecting. If a user can bypass these restrictions, it can create problems for the platform and its users.
Reproduction Steps
Step
1
FBDL code:
[setup]
User UserOne
User UserTwo
Page PageOne with {owner: UserOne}
Business BizOne with {owner: UserOne, primary_page: PageOne,employees:[UserTwo], quarantine:true}
Step
2
1° Report: Create new ad accounts by calling the graphql mutation: ($500)
UserOne: Send a POST request to graph.facebook.com/graphql and change the value of the "businessID" parameter
variables={"businessID":"0000","adAccountName":"test","timezoneID":"373","currency":"USD","endAdvertiserID":"320836923513847"}
doc_id=3912982525454862
Step
3
2° Report: Add a low-level employee to the business and then change their role from employee to admin: ($2500)
a. Go to Business Manager Settings
b. Select the UserTwo's account name.
c. Click on the three horizontal dots in the upper right corner, then select Edit Role.
d. Change the UserTwo's role from "Employee" to "Admin."
e. Select "Save."