Facebook Launched Call to Action (CTA) Units for Instant Articles which allows any Facebook Page to prompt readers to take a specific action. Since it was a new feature I thought to give it a try and I started testing it with different roles on the Page.


After setting up call to action units an admin can either enable it or disable it. As an analyst it was not possible to make any changes to CTA via the UI but the authorization was missing on the API endpoints which allowed an analyst of a Page to make changes to it.

The vulnerable endpoint was /CTA_ID/ and any analyst can disable call to action by making request to this vulnerable endpoint. Since CTA_ID can also be queried by an analyst which makes this bug exploitable.

Proof Of Concept

1. First retrieve CTA_ID by making an API call to :

{"data": [

2. Now make an API call to following endpoint :



A Call to Action is introduced to gain more customers through Instant articles. So if an analyst can disable it, this will affect the traffic for an Instant Article.


  • Reported – 06/09/2017
  • Triaged – 06/14/2017
  • Fixed – 07/01/2017
  • Bounty Awarded – 07/12/2017