.png)
1 day ago
8 BOOK THIS SPACE FOR AD
ARTICLE AD
I recently found a security flaw that let me mess up ad accounts with a single request.
The Exploit
Facebook lets you give others access to your ad account with different roles and permissions. Moreover, you can request shared access in the meta business suite, if you are for example agency and need access to your client’s account.
I was poking around this “shared access” feature when I noticed something interesting. Using Burp Suite (a tool for intercepting web requests), I saw a parameter called “permitted_roles” with a numerical ID for the permission level.
I tried changing this ID to a random 15-digit number (all the valid IDs were 15 digits long). And bam! It worked… but not in the way I expected. This messed-up request completely locked the ad account owner out of managing permissions. No adding, removing, or changing access for anyone!
The Impact
This was a big deal because:
Loss of Control: The owner couldn’t control who accessed their account.Campaign Chaos: Imagine running ads when you can’t manage access!Financial Risk: This could cause serious financial losses for businesses.Reputation Damage: Mishandled campaigns could hurt a company’s reputation.Timeline
August 3, 2024: Reported the bug to Meta.October 24, 2024: They fixed it!October 30, 2024: Got a $2,000 bounty + $100 bonus! 💰
Bengali (Bangladesh) · 
English (United States) ·