Published On: 25 Apr 2020
Duplicate: Unauthorized Takeover of Any Facebook Page
IDOR
Facebook | Web
---
HIGH DUPLICATEDescription
While hunting for bugs, I accidentally stumbled upon a way to successfully takeover a Facebook page that is not linked to any business and that I'm not an admin of. Unfortunately, someone else found this bug before me and so it is a duplicate.
Impact
This would have allowed the complete takeover of any page on Facebook without permission.
Reproduction Steps
Step
1
Here is how I discovered the bug:
I had two Facebook accounts. One as the attacker and one as victim.
Step
2
On attacker account I had created a Facebook page under category of "Business Service" many months ago. I then added the victim account as an editor to the page.
Step
3
One day while checking my email notifications, I noticed that I had received the following email on December 6th 2018:
"We've grouped your business Pages into a business account. Please review."
The email body said:
"Pages doing business on Facebook must have a business account. It's a grouping of your business Pages with other assets, like ad accounts and Pixels. It isn't visible to the public.
We noticed you had business Pages that weren't connected to a business account, so we created one for you. Please review it. If it's correct you don't need to do anything. If you need to make changes go to your business on Facebook"
Apparently Facebook had automatically generated a temporary business account for my business page and also added the editor associated with this page to the business.
Step
4
I took note of the generated business id which was: (REDACTED)
Step
5
I visited the following link:
https://www.facebook.com/confirm_business/?business_id=(REDACTED)&entry_point=page_alarm_clock_notif_email
I clicked on "Add" and chose to import one of my pages into this business
Step
6
I intercepted a POST request to /business/aymc_assets/import/?dpr=
business_id=(REDACTED)&asset_ids[0]=(PAGE_ID_HERE)&session_id=(SESSION_ID)&source=alarm_clock&__user=............
Step
7
I then created a brand new Facebook page from the victim's account that was not linked to any business. Changing asset_ids[0]=(VICTIM'S_PAGE_ID) resulted in the Page being added to the temporary business account. I was surprised because this didn't seem to work with any other business account.
Step
8
I then visited the business url and it redirected me to an interesting page:
https://business.facebook.com/temp_biz/convert/loading/?business_id=(REDACTED)
After a few seconds the page loads an alert box that says "Something went wrong. Please try again later."
Step
9
I continued to test the vulnerability until it suddenly stopped working. Revisiting the url above, I was suddenly redirected successfully to the business settings where I could manage the business whereas minutes earlier I wasn't able to. My theory is that before the conversion process was started, a temporary business account allowed me unauthorized takeover of Facebook pages. Once the process of converting to a full business account was completed, the vulnerability stopped working.