I recently stumbled upon a nasty IDOR (BOLA) vulnerability in Meta’s Business Suite mobile infrastructure. It’s one of those bugs that looks simple on paper but has a “nuclear” impact in the real world.
Long story short: I found a way to bypass Meta’s authorization checks to see private ban details and—here’s the kicker—perform administrative actions on behalf of any restricted Facebook Page or Business Manager in the world.
When I reported this, Meta brushed it off as an “integrity issue.” I disagree. When a stranger can audit your private history and purposely sabotage your one-and-only chance at an appeal, that’s not an “integrity issue”—that’s a massive security failure.
The “Magic” Link: How it Works
The bug is hidden in how Meta handles the actor_id parameter in their mobile deep links. Basically, the Facebook app trusts the ID you give it without double-checking if you actually have the right to see that account.
Exploit Structure:
https://m.facebook.com/business-support-home/deeplink-redirect/?fallback_url=[ANY_URL]&native_url=fb://accountquality/?actor_id=[TARGET_ID]&source=link&_rdrNote: These links must be opened from a mobile device with the Facebook app installed. If the account is restricted, the app reveals everything: ban reasons, dates, and appeal history.
Live Examples (Open on Mobile):
- Restricted Business Manager (ID: 1190864581349035): View BM Restriction
- Restricted Page (ID: 603003559851598): View Page Restriction
Why This is Dangerous
This vulnerability poses two major risks that go far beyond a simple data leak:
1. Corporate Espionage
Any competitor can now do a “private audit” on your business. They can see your internal strikes, ban reasons, and exactly how Meta views your account standing. This is sensitive intelligence that should never be public.
2. The “Death Blow” (Appeal Sabotage)
This is the scary part. Most accounts get one shot at a manual appeal. Using this bug, an attacker can get there first. They can upload a “black screen” or junk documents as “Identity Verification.” Meta’s automated bots flag this as fraud, and boom—your business is permanently banned with no way to fix it.
How I Verified the Mess
- The Bypass: I swapped the ID for a Business Manager I don’t own. The app didn’t ask for permission—it just loaded the private data.
- The Action: The “Request Review” button was live. Even though I was logged into my own unrelated account, I was able to go through the entire flow, upload files, and submit text for the target’s business.
Status: Won’t Fix (Still Active)
I reported this to Meta (Report ID: 795528783030044). Their official stance? “It doesn’t pose a security or privacy risk.”
I find that hard to believe. If a stranger can walk into a courtroom, pretend to be you, and plead “guilty” to a judge just to get you life in prison—that’s a huge problem. As of right now, this door is still wide open.
