Bug discovered on :3rd February, 2018
You can read about Facebook Pixel here : https://developers.facebook.com/docs/facebook-pixel
User 'A' and User 'B' are having their own accounts in Facebook Business ( business.facebook.com )
You can read about Facebook Pixel here : https://developers.facebook.com/docs/facebook-pixel
User 'A' and User 'B' are having their own accounts in Facebook Business ( business.facebook.com )
User 'A' - Victim User 'B'- Attacker
User 'A' creates Facebook Pixel.Earn more by display ads on blog with Lithific Ads
'A' assigns User 'B' as a Pixel Analyst using B's Business ID.
Want to get icons for app Development Here it's
User 'B' creates an Event Source Group and Chooses A's pixel in it
User 'B' visits his Event source group he created and opens the settings page. A's pixel analytics can be accessed from this page.
This is how the Pixel's analytics page looks like. Since this is a new pixel the data is not available.
User 'A' now removes the permissions given to User 'B'.
User 'B' visits the analytics page of the Pixel. The Analytics data will be still accessible though he doesn't have any permissions.
After the mitigation of the flaw....
Now if the person who doesn't have any permissions visits the analytics page he would be displayed this page.
3rd February, 2018 - Bug reported
10th February, 2018 - Report was sent to product team (Triaged).
24th February , 2018 - Reply from Facebook that the bug was fixed.
14th March, 2018 - Bounty of $750 awarded. My first bounty from Facebook!!
Earn more by display ads on blog with Lithific Ads
Comments
Post a Comment