▲ 0 r/bugbounty
Cookie Manipulation (datr) to Bypass Identity Verification & Rate Limiting in Ads Manager
To: Meta Security Team / Ads Product Integrity Department
- Overview I am writing to report a critical security loophole discovered within the Meta Ads Manager authentication flow. This vulnerability allows users to bypass mandatory Identity Verification (Checkpoint) and "Rate Limit" restrictions by manually manipulating the datr cookie value via Browser Developer Tools.
- Vulnerability Description The system currently relies on the datr cookie as a primary identifier for browser trustworthiness. When a user encounters a "Frequency Limit" error (preventing misuse) or is prompted for an Email OTP, the system fails to cross-validate the session integrity if the datr value is substituted.
By replacing the current datr with a "clean" or "previously verified" cookie string, the security check is effectively neutralized, granting unauthorized access to sensitive Ad Account Settings and Business Manager assets without completing 2FA or OTP protocols. - Steps to Reproduce (as demonstrated in the attached technical footage)
Step 1: Access Ads Manager under a restricted state (where the "Choose where to get the code" prompt appears).
Step 2: Open Browser DevTools -> Application -> Cookies.
Step 3: Modify/Inject a different datr value.
Step 4: Refresh the endpoint https://adsmanager.facebook.com/adsmanager/manage/ad_account_settings/ad_account_setup?act=&nav_entry_point=ads_ecosystem_navigation_menu&nav_source=ads_manager
Result: The system bypasses the verification screen and redirects directly to the internal account management interface. - Impact Assessment
Account Takeover (ATO) Risk: Malicious actors can use harvested cookies to bypass security checkpoints on compromised accounts.
System Integrity: The "Rate Limiting" feature, designed to prevent automated misuse, can be easily circumvented, leading to potential bot-driven ad fraud.
Financial Risk: Unauthorized access to Billing and Payment methods within the Ads Manager. - Recommended Remediation We recommend implementing a stricter server-side validation that binds the datr cookie with the c_user (User ID) and xs (Session Secret) more rigidly. Furthermore, changing a hardware-level identifier like datr during an active challenge should trigger a hard logout or an immediate escalation of the security checkpoint.
I have attached a screen recording demonstrating the bypass for your technical review. I look forward to your response regarding this security concern.
Best regards,
Khang
u/Imaginary-Gas747 — 2 days ago