[WRITE-UP] Bypassing 2-Factor Authentication for Facebook Business Manager (Bounty: 1000 USD)
Hi guys, it’s Shubham Bhamare again. In this write-up, I’m going to tell you that how I bypassed 2-Factor Authentication for Facebook Business Manager using a very simple trick.
Due to this issue, an attacker was able to make changes in victim’s Facebook Business Manager account. However, access to victim’s personal Facebook account was needed.
Without wasting time, let’s start! 👉
Setup and Scenario:
- An attacker (ABC) has access to victim (XYZ)’s personal Facebook account. XYZ has enabled 2-Factor Authentication for Business Manager (Because it’s necessary to enable it before using Business Manager account.)
Platform: Facebook Web
- As ABC has access to the XYZ’s personal Facebook account, but he/she wants to make changes in the XYZ’s Business Manager account which is not accessible due to 2FA is enabled. So, first of all, go to ABC’s Business Manager account and intercept and copy the request of any action you want to make from XYZ’s Business Manager.
- Now, as you’ve XYZ’s Facebook account access, copy his/her cookies and fb_dtsg token and replace it in the Business Manager request that we’ve previously captured. Also, you’ll have to replace ABC’s business_id with XYZ’s business_id in this request. When it’s done, forward this modified request. You’ll see the action is successfully completed from XYZ’s Business Manager account. This way, you can make any action on XYZ’s Business Manager account.
May 05, 2019: Report sent
May 08, 2019: Pre-triaged
June 14, 2919: Triaged
July 24, 2019: 1000 USD bounty awarded
July 25, 2019: Issue fixed