Missing Authorization check in Facebook Pages Manager

Severity: Medium

Complexity: Easy

Weakness: Authorization/Permission Model

Discovery:

Basically it was an Missing Authorization Check in Facebook Page Manager while disconnecting facebook page with twitter handle.

I Used to see lot of post’s,who retweet or tweet anything on Twitter is get’s posted on Facebook .

Example : Tweet from Twitter
  • So i decided to test facebook authorization with twitter to find any Bug’s!

www.facebook.com/twitter

  • I have created a demo page on facebook and As a ADMIN of page i had linked facebook page with twitter.

Reproduce:

1) Create an page and link the page with twitter handle.

2) Make your second account an ANALYST of that page.

3) An Analyst is not allowed to make any changes in the page.

4) Now login to you second account (ANALYST ACCOUNT) and navigate to
www.facebook.com/twitter

5) You will see an unlink option click the unlink and the page will be unlinked from twitter.

VIDEO POC:

  • Bug Discovered on March 20, 2017

Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store