Force Browsing bug at Facebook business plan ($500 Bounty)

Hi bug hunters! this article is about my last finding on Facebook. I regularly check Facebook for the latest updates and features. In April I noticed they add a feature called Business Plan for page admin. you can read below how I was able to abuse this feature.

While testing this feature I noticed if a page analyst browses this path directly then he can able to access and manage the business plan but it is only possible with the correct session_id.

I reported the issue to the Facebook team

A business page admin can create a business plan for their page. Which can not be managed by any user other than admin. I noticed if Page Analyst browses the URL https://www.facebook.com/business/dashboard/?session_id=[ID in BASE64] then he can able to manage the business plan created by the admin.

The Facebook team response

Hi Dew,

The session_id does not appear to be bruteforceable due to its complex nature, so that does not seem to be a feasible scenario. There does not appear to be any significant security impact, therefore this does not qualify for a bounty. If you can update this report with a PoC that shows a clear security impact, please do so and we can re-evaluate this issue.

After the Facebook team response. I look for different ways to exploit this issue. After some time I noticed if a page analyst browses the path without session_id. He can still able to access and manage the business plan. I immediately reopen the report. One of the Facebook team members confirms the issue is valid.

After fixed Facebook awarded me $500 and the hall of fame on their thanks page.

Motivation

Don’t stop if the security team closes your report as informative. Always try to look for different ways to interact with the application.