Facebook Business Manager Email Address Verification Bypass

20 Feb 2016

Description:

When a Business Manager user decides to change his/her business email address under user settings, they should verify the email ownership by clicking on a link sent to that email. This verification procedure is to prevent abuse.

I found it possible to cicumvent this feature to add any business email address without verification.

Reproduction:

Authenticate into Business Manager.
Go to Business settings –> People.
Edit the email address of say, admin to any address.
Capture the request using any intercepting proxy and edit the value of parameter email to the target business’ email and edit the value of parameter pending_email to attacker’s own email address.
Complete the request and reload the page.

It could’ve added the new email address bypassing the verification process.

 
Report sent : 04 Dec 2015

It was deemed as a duplicate report by the security team. Thanks for reading!

PageFault

Facebook Business Manager Email Address Verification Bypass

Description:

Reproduction:

Related Posts

Leaking access tokens from Microsoft apps chaining two vulnerabilities 12 Dec 2018

Unvalidated URL Redirect - Facebook Bug Bounty 12 Jan 2017

Leaking Facebook appsecret_proof - Private Bounty 12 Nov 2016