Skip to main content

Missing Authorization check while deleting App Review for Marketing API: Facebook Whitehat

Missing Authorization check while deleting App Review for Marketing API

Peter, was enjoying the weekend, and he heard Lois screaming.
Hey, Peter, when are we getting new Television:
Well, huh!!! Alright…
Let's find something Honey :p 
Facebook has an option for App Review for Marketing API:
This privilege is only given to app admin:
App Review can only be submitted by app admins. Please contact an admin on the app to submit this app for review.
Impact:
A developer can change the app submission settings which can only be done by an admin and can also play with current submission settings.
here's the official documentation:
Facebook developer's documentation
The authorization check for the developer is missing on backend for the add/delete requests.
Peter being a developer was able to delete the added submissions(despite of having them disabled on front end)

Steps to replicate:

1. create a test app,
2. add admin A and developer B
3. from developer B’s account go to
https://developers.facebook.com/apps/[APP_ID]/marketing-api/settings/ 
you will see App Review for Marketing API with App Review can only be submitted by app admins. Please contact an admin on the app to submit this app for review.
fair enough
(Loise looks like we are not getting a television this week ☹ )

why not test the back-end access controls? Lets create a test app in B’s account with B as an admin, as in the request for adding/deleting marketing_API the submission_id remains same for all the apps and look for missing authorisation.(which makes this easy for the developer's to exploit the issue):
wait, okey dokey, we have something in here !!

this is request which is modified to add and delete submisson_IDs

POST /apps/[app_ID]/review/product/async/add-item/?product_submission_type=marketing_api&submission_id=submisson_ID

POST /apps/[app-ID]/review/product/async/remove-item/?product_submission_type=marketing_api&submission_item_id=submisson_ID

* send the above request from app where B is an admin and in burp change the appID (where he is a developer), the marketing API settings are changed(added or deleted)
Timeline:
Reported: 27 March 2019


New Television 21.04.2019




Thanks Facebook Security for the quick resolution and an awesome program:
./Family Guy


Comments

Popular posts from this blog

Google Adwords(Privilege Escalation): Read-only user able to add YouTube channels via Linked accounts

STEWIE NOT DOG, HUNT SOME BUGS MY BOY!!!!
Google AdWords , is Google's advertising system in which advertisers bid on certain keywords in their searchable ads. Since advertisers have to pay for these clicks, Google makes money from search.
ISSUE: A user with read only access to the adwords account was able to link Youtube channels to the adwords account. Reported: 5th April
Steps to reproduce: 1. Go to https://adwords.google.com create a test adwords account. From settings, Account access add another userA with Read-only access (Here's the access right is allocated as read only users) Now 3. Go to user A mail account and accept the invitation to join the adwords account. 4. from user A adwords account go to settings then Linked accounts and then youtube, with below description: YouTube channels Link a YouTube channel to your AdWords account to gain greater insights about your customers.
5. Add a youtube channel and accept the same via your youtube account. the channel is added to the adword…

Hijacking Friend Requests Facebook: White Hat ./FamilyGuy

Facebook BugBounty: Intercept incoming friend requests of Victim add/accept to your facebook account:Product/URL:Facebook android app on facebookDescription and Impact The issue:
Missing authorisation check while accessing friend request API on android app, an attacker can add friend requests of any facebook user into his own account. in simple words Peter says:
Wait, what, no, no, Peter is a nice fellow. Peter: Ok, but still  Its like I can intercept and accept friend requests from someone which was send to some other user via Facebook send friend request to contacts option.
Let's report!! Sceanrio: X sends friends request by contacts option to Y. And I can get the request which was send to Y and become friend with X.
Reproduction Instructions/Proof of Concept: 1. install latest android app.  2. Create new account.  3. Enter a random mobile number[victim's]. 4. Enter a good name. 5. Enter gender. 6. You can skip uploading photo as well as uploading contacts. 7. As soon as you land on fb home p…