Introduction
Brand Collabs Manager serves as a dynamic marketplace facilitating seamless connections between brands and creators, empowering them to discover, understand, and engage with each other’s potential. Located within Facebook page settings, the application process is typically exclusive to page administrators. Through this platform, administrators can apply and sign up as either a “creator” or an “advertiser,” enhancing collaboration opportunities. For a comprehensive understanding, refer to the official documentation available at https://www.facebook.com/business/help/1898176230203655?id=1912903575666924.
The finding
While conventional page roles such as “Advertiser,” “Moderator,” “Editor,” and “Job Manager” are typically restricted from applying or signing up for Collabs Manager through the Facebook web interface, an “IDOR” (Insecure Direct Object Reference) vulnerability in the request handling the “sign-up” option exposes a workaround. This vulnerability enables individuals with these roles to bypass restrictions by manipulating the “page_ids” parameter, granting them unauthorized access to the Collabs Manager sign-up process.
Reproduction Steps
- From the attacker account, navigate to https://www.facebook.com/collabsmanager/signup/brand/.
- Select a page for which you are an admin, enter your email, check the “I accept the Terms of Service” box, intercept the request with Burp Suite, and then submit the form.
- Upon submission, observe the POST request:
POST /api/graphql/ HTTP/1.1
Host: www.facebook.com
av=100015771374000&__user=100015771374000&__a=1&... (other parameters) ... &variables={"data":{"client_mutation_id":"xxx-xxx-xxx-xxx-xxx","email":"demo@me.com","entry_source":null,"page_ids":["149646615725890"]}}&doc_id=2604093872934600.
The vulnerable part is:
page_ids":["149646615725890"]}}
- The attacker modifies the “page_ids” value to the page_id associated with a role having “Advertiser,” “Moderator,” “Editor,” or “Job Manager.” Subsequently, the attacker forwards the altered request to the server.
- From the victim account (admin of the page), visit https://www.facebook.com/collabsmanager/signup/brand/. Under “Currently being reviewed for eligibility,” observe that the page has been added without admin interaction, indicating successful bypass by the non-admin role.
Timeline
- Sarmad 30 Sep 2019
- Initial Report.
- Meta Bug Bounty 03 Oct 2019
- Checking this internally.
- Meta Bug Bounty 16 Oct 2019
- Report Triaged.
- Meta Bug Bounty 23 Oct 2019
- Fixed By Meta Bug Bounty.
- Sarmad 23 Oct 2019
- Fixed Confirmed.
- Meta Bug Bounty 25 Oct 2019
- Bounty awarded.