ByPassing fix of Domain Blocking feature in Business Manager

Rohit kumar
1 min readAug 15, 2019

--

A few months back I reported this vulnerability Demoted business admin could apply blocklist to all ad accounts and FB rewarded me 500$ for this Vulnerability. After a little bit of more testing, I noticed I can still apply blocklist with low privileges to all Ad accounts in Business Manager.

PoC Video

Impact

This could allow a demoted business admin to apply blocklist to all ad accounts

Repro steps

You need 2 Admin (Admin A, Admin B) accounts in a business manager.

Steps
===
1. From Admin B account upload new Blocklists and apply it to all ad accounts.
2. From Admin A account change permission of “Admin B” to the employee.
3. Now, from Admin B account (Which is not an employee) visit blocklist page and you will notice you can upload block list but you can’t apply it on all ad accounts.
4. For uploading new blocklists to all ad accounts, simply replace previous blocklists which were uploaded by you and applied to all ad accounts.
5. New block lists will be updated/applied to all ad accounts.

--

--

Rohit kumar

✌ Hacking & Security, Programming / Technology - Not all superheroes wear capes, some just push code to Github.