Tuesday, January 4, 2022

Facebook Bug POC - Determine any Page Admin Role

 

It was possible for an attacker to determine any Page Admin Role without any interaction

or special privilege based on server Response timing.

Steps -

1. As an Attacker go to your test Page role settings and add the Target Page Admin as any role on that Page.

Note that Victim does not need to be friends with the Attacker to be invited as an Admin or the victim has to accept the Admin role Invite request.

2. Intercept the call which cancels the Invite -

==================================

GET /pages/remove_admins/confirm/?id=attacker_test_page_id&remove_admin_role=1&remove_pending_invite_id=Target_Page_Admin_ID&__user=attacker_id HTTP/2

Host: m.facebook.com

==================================

3. Change "id" value to the Target Page ID and repeat the Request. The Response will be a 500 error.

4. Observe the Response timing. There will be a Maximum Response timing and a Minimum Response timing.

For ex- in the POC video, the range was between between 250ms to 350ms and was not exceeding 600ms.

5. Change the "id=" value with a Page ID where the Victim is not an Admin.

Here the Response timing will always be above 600ms. In the POC video, the Response timing went up to 1500ms to 2500ms.

To reproduce the issue, make sure to not have any packet drops and updates running on your device. The timing range would differ accordingly to your PC specs and Bandwidth but will always have the same nature to determine the Admin.

Timeline -

Reported to Facebook on 10 December 2021, along with a POC video.

From further testing I got to know that this even worked for Pending Determine Roles on a Page.

I updated them on 10 December 2021.

On 15 December 2021 Facebook was not able to Reproduce the issue and gave me some WhiteHat test Accounts to determine the Admin.

On 15 December 2021 I replied -

===================

Hey!

I am facing issues with whitehat test accounts.

In every browser and on different domains (www.facebook or m.facebook) when we try to invite a test accounts as a Page roles, we need to enter the test account user's name in the search box. The search box doesn't pop up with the test account profile (check attachment video showing the issue).

Also I ran this FBDL code --

# Example: (This is a comment. Modify below:)

[setup]

User UserOne

Page PageOne with {owner: UserOne}

User UserTwo

[action]

UserOne add_page_admins PageOne with {new_roles: [UserOne, UserTwo]}

which directly adds as a role and not invite for a role on the Page which is necessary to reproduce the issue.

Did you use real Facebook accounts to reproduce the issue ?

===================

Facebook replied on 18 December 2021 -

Hi Sai,
The users I added in my previous account already have the right setup, I can confirm some of them are admin on the page.
Can you try to reproduce it against them and let me know the results?
Thanks.

My reply to Facebook on 18 December 2021 -

Hello!
I think there has been some confusion.
As shown in the POC video and POC steps, we have to invite the target User as the Admin of our test Page.
Whitehat test Pages are not letting me invite your test accounts to my Page as a role on my test Page which is necessary to reproduce the issue.
Can you check out the POC video again - https://youtu.be/XYZ

On 24 December 2021 Facebook saw the POC video and made proper POC steps. But still not able to reproduce the issue.

On Saturday, 25 December, I replied to Facebook -

The issue is not reproducible anymore.
There have been some changes made on that flow.
I can confirm it because if you check it, you can no more remove the Invites on m.facebook.com anymore.
I think this report could have been processed better. You can close this.

Facebook then closed the Ticket without any reply on 4 January 2022.