~1 min

Create Organic Pixel for Any Facebook Page

It seems Faceboook is working on a feature called “Page Pixel” for Pages (shows as “Page Organic Pixel” in code). It is located as a tab in “Publishing Tools”. At the time of writing, it only shows a “Create Page Pixel” button”, which displays an instruction to copy a specific Facebook Pixel ID to third party services (e.g. Shopify).

The underlying endpoint that responses to “Create Page Pixel” requests seems to only work with Pages, and will throw errors if the input ID belongs to something else (e.g. User).

Impact

Judgding by the placement of this feature of being a part of the Publishing Tools, only someone with a Page Role (likely Page Admin) should be allowed to create a Page Pixel for the corresponding Page.

But, I, a complete stranger, am able to create a Page Pixel for any Facebook Page whether I have a Page Role on that Page. This should not have been possible if my guessing is correct.

Proof of Concept

Server Request

HTTP POST /pages/organic_pixel/create/?page_id=ANY_PAGE_ID
Host: www.facebook.com

Server Response

{
  "payload": {
    "status": "success",
    "pixel_id": 1800000000000000
  }
}

Judging by the JSON payload in the response, a Page Pixel for the page has been successfully created.

Timeline

2018-07-13: Report Submitted

2018-07-17: Inqueries Requested by Facebook

2018-07-17: Additional Information Sent

2018-07-19: Demo Requested by Facebook

2018-07-19: Video Demo Sent

2018-07-20: Report handed over to another Facebook employee

2018-07-20: Further Investigation by Facebook

2018-08-01: Vulnerability Patched by Facebook

2018-08-01: Confirmation of Fix Requested by Facebook

2018-08-01: Confirmation of Fix Sent

2018-08-15: Report Marked as “Informative”, due to:

“It does not introduce a significant security or privacy risk.”