Facebook Business Manager Email Address Verification Bypass20 Feb 2016
When a Business Manager user decides to change his/her business email address under user settings, they should verify the email ownership by clicking on a link sent to that email. This verification procedure is to prevent abuse.
I found it possible to cicumvent this feature to add any business email address without verification.
Authenticate into Business Manager.
Go to Business settings –> People.
Edit the email address of say, admin to any address.
Capture the request using any intercepting proxy and edit the value of parameter
pending_emailto attacker’s own email address.
Complete the request and reload the page.
It could’ve added the new email address bypassing the verification process.
It was deemed as a duplicate report by the security team. Thanks for reading!