About Facebook Business Manager

Small to large businesses use Business Manager to organise their business assets and information in one place. We can use Business Manager to control our Facebook assets and make sure that the right people have the correct access.

Business Manager Admin can only add assets which has owned by him or has given permission by asset Admin. Assets include Facebook Page, Ad accounts, Instagram accounts, Facebook Applications and WhatsApp accounts.

In order to add a Whatsapp Business account Business Manager Admin needs to enter WhatsApp Mobile number and verify the five digits code sent to number.


Impact
This could allow a malicious user to see private videos provided the malicious user knew the video FBID

Endpoint —
https://developers.facebook.com/v2/async/videos/?video_id=xxxxxxxxx

This endpoint returned video source of any Facebook video either it was shared in message, story or at workplace.

Timeline:

Reported — 18 Nov , 2018

Fixed — 20 Nov , 2018

Bounty — 16Janaury , 2019


Description :
We can add an Instagram account to a Facebook Page having a role on the page as an admin or editor. Adding an Instagram account to Facebook Page will allow us to create Instagram ads in Ads Manager without needing to connect to the Instagram account to a Business Manager.

There is an endpoint to connect Instagram account through the mobile browser or “mbasic.facebook.com”

POST /Redacted HTTP/1.1
Host: mbasic.facebook.com

fb_dtsg: — sanitized —
jazoest: — sanitized —
username: VICTIM_INSTAGRAM_USERNAME
password: VICTIM_INSTAGRAM_PASSWORD
page_id: ATTACKER_PAGE_ID

Login Security:
Facebook uses a rate-limiting mechanism to protect the login request from being password guesses…


If you believe your account has been compromised by another person or a virus, To help keep your Facebook account secure, Facebook will take you through a few steps to change your password and make sure any recent changes to your account came from you.
Link — https://www.facebook.com/hacked

POC Video-

/hacked feature added an unconfirmed email address on my account.

Impact — This could have allowed malicious users to take over any emails not confirmed on Facebook and this could potentially allow a malicious individual to access third party apps which rely on Facebook account verification of email.

Timeline -

Submitted- November 15th, 2018

Bounty - January 5, 2019

Sameer Rao

Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store