Page shops with a hidden Product in “Featured product section” which could be controlled by attacker (Ex Editor).
Product Area
Pages
Complete Details
===
Facebook allows businesses to sell products on Facebook using their Facebook page & shop feature. In this report, I will demonstrate how a page could have a featured product from another attacker’s page.
While initiating this request a user needs “Full permission — Admin” on the victim’s page, later on when that admin will be removed from that page, that malicious user will be still able to control the featured product section of the victim page.
Impact
===
This could allow an attacker to steal sales from the victim’s page, or this could allow an attacker to manage/edit “Featured products or collections” without having any role on-page.
Repro steps
Setup
===
Users: USER A, USER B; USER A admin of “PAGE A” and “PAGE B”; USER B admin of “PAGE B”
Environment: USER A — Attacker / Malicious user; USER B — Victim
Steps
===
1. First, enable shops option on both PAGE A and PAGE B using respective accounts. https://www.facebook.com/business/help/912190892201033?id=206236483305742
2. Now, from USER A (attacker) add a new product on “PAGE A” from this link — https://business.facebook.com/PAGE-ID/publishing_tools/?section=COMMERCE_PRODUCTS
3. Now, after adding this copy product_id from the response.
4. Now, FROM USER B (victim) account perform the same step and add 1 product.
5. From USER B (victim) create a collection of products using this link — https://business.facebook.com/PAGE-ID/publishing_tools?section=COMMERCE_COLLECTIONS
6. Copy collection_id from the response.
6. Now, as I mentioned USER A (Attacker) needs access to the victim page also, so this attacker will also get access to this collection_id for now.
7. Now, go back to USER A (Attacker), create your own collection with your products, and intercept this request.
8. Here change your collection_id to victim’s collection_id, forward this request.
9. Now, from Victim’s account page (Page B), remove the attacker.
10. Now, whenever Attacker will make changes in his product (like price, images, videos, description). That will be reflected in the victim’s featured product area.
Fix
===
While creating collections, check product_id belongs to the current page_id.
Reply from Facebook
Hi Rohit,
Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you updated on our progress.
Thanks
Hi Rohit,
Thank you for your patience here.
We have discussed the issue at length and concluded that unfortunately your report falls below the bar for a monetary reward.
Page admin permissions are required to exploit this bug. With these, an attacker could conduct significantly more impactful attacks than introducing an unremovable product in the “Featured Products” section.
I wish you luck in your continued bug hunting.
Thanks
My Reply
Hi ,
After getting your reply, I tried bypassing some restrictions on this report and fortunately, I noticed that an “Editor” level access account can also initiate this same attack. So, as you mentioned “Page admin permissions are required to exploit this bug. With these, an attacker could conduct significantly more impactful attacks”.
Now, we don’t need admin permission, we need only editor level access and when any admin will remove editor, he/she can still control those “collections or featured products”.
Kindly forward this to a concerned team and let me know if you are looking for more info.
Thanks,
Rohit Kumar
Reply from Facebook
Hi Rohit,
Thanks for your patience here. After discussing this report further, we’ve reaffirmed our decision not to issue a bounty here. A malicious page editor, similar to a page administrator, has a lot of access to a page which can be used in more malicious ways than the behavior described here. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have.
Timeline
Reported : 9 March 2020
Triaged: 17 March 2020
Closed as Informative : 2 April 2020
Re-opened for Review : 7 April 2020
Closed as Informative : 28 May 2020
