[Facebook] Privilege escalation in App Roles after removal

A User who was removed as a an Admin or Developer of an App could see the Dashboard, couple of insights and other settings like Roles in the App.


A User when is an Admin or a Developer can create Test App for that main App.

Once he was removed of his Role, he could still access the Dashboard.

The Dashboard will be available for him on - https://developers.facebook.com/apps/APP_ID_OF_THE_TARGET_APP/dashboard/

All the changes made in the production app will be visible to the attacker in real time. In the Dashboard, the current App Roles and Insights were available.

Timeline -

Reported - Tuesday, January 1, 2019

Triaged - Tuesday, January 15, 2019

Rewarded - Thursday, January 2, 2020