Published On: 14 Nov 2019
Post Photos to Pages as an Advertiser
Other
Facebook | Web
---
LOW VALIDWithin Facebook page's there's an advertiser role that lets the user make ads for the page but not access much else.
Description
This vulnerability allows an attacker with a Advertiser roll to post photos to a page without permission.
Impact
The impact is that a user whom a Page owner would assume could only create ads could post photos to the pages feed.
Reproduction Steps
Step
2
Create a lead ad and goes to the "Intro" tab of the creation panel and and select "Use uploaded image"
Step
3
Upload an image and capture the HTTP post request sent to facebook.com/ads/leadgen/upload/photo/
Step
4
Change the ?av paramater to that of the victims page
Step
5
Forward the request and in the response will be the post id where the attacker can then share, like, comment, forward the photo etc.
Invalid to Valid
Originally this report got closed with the following response by Facebook We've discussed this report with our team and this photo having page as the actor itself is the expected behavior as long as the photo is not posted to the page timeline directly. We tried to reproduce your finding and didn't see the photo in the page timeline itself. Please let us know if you can demonstrate otherwise. A year later I decided to try to rethink the impact of the vulnerability. I then responded with the idea of malicious advertiser posting photos to the page of content that violates Facebooks terms of service in an attempt to get the page taken down. This was a shot in the dark but it payed off as it took the report from invalid to valid months later.
Videos