[Facebook] Page Admin disclosed

With a request response timing, it was possible to guess an Admin of a Page.

POC - 

1. As an Attacker go to your test Page role settings - https://m.facebook.com/pages/edit/admins/page_id

2. Add the Target Page Admin as any role on that Page.

3. Turn ON Burp Interceptor and click on the Cancel button to remove the Target Page Admin from the Pending Admins list.

4. Take the Request to Repeater Tab.

5. The Request will have an ID parameter "id=".

Change it to the Target Page ID and repeat the Request.

6. Observe the Response timing. There will be a Maximum Response timing and Minimum Response timing.

Repeat the Request several times to determine the Range.

This Range will be default for your Internet and PC to guess the right Page Admins for any other Page.

7. Change the "id=" value with a Page ID where the Victim is not an Admin.

Repeat the request to see that, the Response timing will be more than the Range we got before.

This Range will be default for your Internet and PC to guess the wrong Page for the Victim User.

Timeline -

Reported - Friday, December 10, 2021

Because changes made in the flow the issue wasn't reproducible on Saturday, December 25, 2021 by the Facebook Security team.