[Facebook] Privilege escalation in App Roles after removal
A User who was removed as a an Admin or Developer of an App could see the Dashboard, couple of insights and other settings like Roles in the App.
POC -
A User when is an Admin or a Developer can create Test App for that main App.
Once he was removed of his Role, he could still access the Dashboard.
The Dashboard will be available for him on - https://developers.facebook.com/apps/APP_ID_OF_THE_TARGET_APP/dashboard/
All the changes made in the production app will be visible to the attacker in real time. In the Dashboard, the current App Roles and Insights were available.
Timeline -
Reported - Tuesday, January 1, 2019
Triaged - Tuesday, January 15, 2019
Rewarded - Thursday, January 2, 2020