[WRITE-UP] Bypassing 2-Factor Authentication for Facebook Business Manager (Bounty: 1000 USD)

Hi guys, it’s Shubham Bhamare again. In this write-up, I’m going to tell you that how I bypassed 2-Factor Authentication for Facebook Business Manager using a very simple trick.

Due to this issue, an attacker was able to make changes in victim’s Facebook Business Manager account. However, access to victim’s personal Facebook account was needed.

Without wasting time, let’s start! 👉

===

Setup and Scenario:

  1. An attacker (ABC) has access to victim (XYZ)’s personal Facebook account. XYZ has enabled 2-Factor Authentication for Business Manager (Because it’s necessary to enable it before using Business Manager account.)

Platform: Facebook Web

===

Reproduction steps:

  1. As ABC has access to the XYZ’s personal Facebook account, but he/she wants to make changes in the XYZ’s Business Manager account which is not accessible due to 2FA is enabled. So, first of all, go to ABC’s Business Manager account and intercept and copy the request of any action you want to make from XYZ’s Business Manager.
  2. Now, as you’ve XYZ’s Facebook account access, copy his/her cookies and fb_dtsg token and replace it in the Business Manager request that we’ve previously captured. Also, you’ll have to replace ABC’s business_id with XYZ’s business_id in this request. When it’s done, forward this modified request. You’ll see the action is successfully completed from XYZ’s Business Manager account. This way, you can make any action on XYZ’s Business Manager account.

===

Bounty:

1000 USD

===

Timeline:

May 05, 2019: Report sent

May 08, 2019: Pre-triaged

June 14, 2919: Triaged

July 24, 2019: 1000 USD bounty awarded

July 25, 2019: Issue fixed

===

Thank you for reading! Stay tuned for my next write-up and don’t forget to follow me on Facebook, Twitter, Instagram and Medium. 😊

===

An ORDINARY guy with EXTRAORDINARY dreams!