(POC) Update business fyi message as Facebook page analyst

Description / Impact

In a FB5 there is an update related to COVID-19 which allow a page to pending there customer service as a result of Coronavirus, this action require high permission to be made on behalf the page but according to my testing I observe that it ‘s possible to update business fyi message with the analyst permissions.

This behavior is unexpected since the analyst permissions is generally read-only permissions.

Proof Of Concept / Reprosteps

  • Obtain the page ID
  • Submit the request
HTTP POST /api/graphql/?av=valueObtainedFromStepOne 
Host: facebook.com
  • Display a button that links to your own URL
HTTP POST /api/graphql/?av=valueObtainedFromStepOne 
Host: facebook.com
  • The business fyi message has been updated as analyst.
  • The message which displayed for the customers:

Coronavirus (COVID-19) Update From {page name}

Due to challenges caused by coronavirus (COVID-19), we’re providing our customers with extra support and resources

Visit {URL button}

13/08/2020: Report Sent
Triaged By Facebook after 10 hours.
25/08/2020: Patch confirmed by Facebook
27/08/2020: $750 Bounty awarded by Facebook

Security Researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

#6 HOW TO FIND CSRF IN E-Commerce Website

{UPDATE} 消除星星大作战 - 经典消除游戏 Hack Free Resources Generator

Protect Your ERP from Malware Through an Upgrade Vaccine This Flu Season

{UPDATE} 당구의 신 Hack Free Resources Generator

Hack The Box writeup: DEVEL

Cloud Computing and Cybersecurity News Stories Between 29th December to 4rd of January

Navigating the Cyber Security Landscape: The Fight Against Ransomware in 2022

TryHackMe — Network Services

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmad Talahmeh

Ahmad Talahmeh

Security Researcher

More from Medium

5 High-Risk Vulnerabilities In E-Commerce Applications

Daily Calcudoku

App stream 2.0 & AWS console authentications with Active Directory Federation Services (ADFS)

HMS Kits for Health Monitoring Apps!