Download predictions details of ads plans of any business.

Description

This bug could have allowed an attacker to view ads plans of a business without having a role or permissions in that business. He can see all upcoming campaigns details like budget, period of the campaign, targeted audience of each campaign and the curve of reach compared to the budget.

Demonstration

  1. The attacker get invited by a business admin to view an ad campaign plan where he has a limited access to it ( he can’t copy the plan or view any details)
These are the options chosen by the business admin when sharing the link with the attacker

2. The attacker opens the short link received from the business admin. He get redirected to an URL of this format:
https://www.facebook.com/ads/planner_preview/?sharing_spec_id=&hash=
He now extracts the prediction_id of this ad plan by viewing the source code and searching for the keyword “trp_is_plan_purchased”

3. After getting the prediction_id using the method above, the attacker use that id to exploit a misconfigured endpoint that doesn’t check the owner of the ad plan prediction before returning its details.

POST /ads/reachfrequency/prediction_download/
Host: www.facebook.com

rf_prediction_id=XXX

Result of the request sent to the endpoint.

4. Now the attacker has permanent access to this ad campaign plan and all its details even if his invitation get revoked.
Also the attacker can access all the other ad plans, predictions and other versions of the plan owned by the business. This is done by bruteforcing the ids based on the one found using the “trp_is_plan_purchased” method so he only needs to trick the admin once and then he can get all future plans.

To demonstrate this, we can list all ad plans predictions owned by a business (The attacker doesn’t have the permission to do so but i did it with my “victim” account)

GET /act_YYYYY/reachfrequencypredictions/?access_token=XXXXX
Host: graph.facebook.com

Where YYYYY the ad account id of the business and XXXXX is a valid access token generated by the Campaign Planner app (Can get one by navigating to 
https://business.facebook.com/ads/planner?business_id)
What i noticed is that all predictions ids has a common start and end for each business (Sorry i didn’t keep a screenshot).
So with a simple bruteforcing technique (using a step of 1000 or 10000 instead of 1), the attacker can get all future and previous ad plans details of that business after he got a limited access to see only one.

Timeline

Jan 12, 2019— Report Sent
Jan 16, 2019—Clarification requested by Facebook
Jan 23, 2019 —  Clarification sent
Jan 29, 2019 —  Acknowledged by Facebook
May 21, 2019 — Fixed by Facebook
Jul 2, 2019 — Bounty Awarded by Facebook