Missing Authorization check while deleting App Review for Marketing APIPeter, was enjoying the weekend, and he heard Lois screaming.
Hey, Peter, when are we getting new Television:
Well, huh!!! Alright…
Let's find something Honey :p
Facebook has an option for App Review for Marketing API:
This privilege is only given to app admin:
App Review can only be submitted by app admins. Please contact an admin on the app to submit this app for review.
A developer can change the app submission settings which can only be done by an admin and can also play with current submission settings.
here's the official documentation:
Facebook developer's documentation
The authorization check for the developer is missing on backend for the add/delete requests.
Peter being a developer was able to delete the added submissions(despite of having them disabled on front end)
Steps to replicate:1. create a test app,
2. add admin A and developer B
3. from developer B’s account go to
you will see App Review for Marketing API with App Review can only be submitted by app admins. Please contact an admin on the app to submit this app for review.
(Loise looks like we are not getting a television this week ☹ )
why not test the back-end access controls? Lets create a test app in B’s account with B as an admin, as in the request for adding/deleting marketing_API the submission_id remains same for all the apps and look for missing authorisation.(which makes this easy for the developer's to exploit the issue):
wait, okey dokey, we have something in here !!
this is request which is modified to add and delete submisson_IDs
* send the above request from app where B is an admin and in burp change the appID (where he is a developer), the marketing API settings are changed(added or deleted)
Reported: 27 March 2019
New Television 21.04.2019
Thanks Facebook Security for the quick resolution and an awesome program: