It was possible for an attacker to determine any Page Admin Role without any interaction
or special privilege based on server Response timing.1. As an Attacker go to your test Page role settings and add the Target Page Admin as any role on that Page.
Note that Victim does not need to be friends with the Attacker to be invited as an Admin or the victim has to accept the Admin role Invite request.
2. Intercept the call which cancels the Invite -
==================================
GET /pages/remove_admins/confirm/?id=attacker_test_page_id&remove_admin_role=1&remove_pending_invite_id=Target_Page_Admin_ID&__user=attacker_id HTTP/2
Host: m.facebook.com
==================================
3. Change "id" value to the Target Page ID and repeat the Request. The Response will be a 500 error.
4. Observe the Response timing. There will be a Maximum Response timing and a Minimum Response timing.
For ex- in the POC video, the range was between between 250ms to 350ms and was not exceeding 600ms.
5. Change the "id=" value with a Page ID where the Victim is not an Admin.
Here the Response timing will always be above 600ms. In the POC video, the Response timing went up to 1500ms to 2500ms.
To reproduce the issue, make sure to not have any packet drops and updates running on your device. The timing range would differ accordingly to your PC specs and Bandwidth but will always have the same nature to determine the Admin.
Timeline -
Reported to Facebook on 10 December 2021, along with a POC video.
From further testing I got to know that this even worked for Pending Determine Roles on a Page.
I updated them on 10 December 2021.
On 15 December 2021 Facebook was not able to Reproduce the issue and gave me some WhiteHat test Accounts to determine the Admin.
On 15 December 2021 I replied -
===================
Hey!
I am facing issues with whitehat test accounts.
In every browser and on different domains (www.facebook or m.facebook) when we try to invite a test accounts as a Page roles, we need to enter the test account user's name in the search box. The search box doesn't pop up with the test account profile (check attachment video showing the issue).
Also I ran this FBDL code --
# Example: (This is a comment. Modify below:)
[setup]
User UserOne
Page PageOne with {owner: UserOne}
User UserTwo
[action]
UserOne add_page_admins PageOne with {new_roles: [UserOne, UserTwo]}
which directly adds as a role and not invite for a role on the Page which is necessary to reproduce the issue.
Did you use real Facebook accounts to reproduce the issue ?
===================