Workplace from Facebook | Unauthorized access to companies environment
In this article, I will be describing a serious vulnerability I found in Workplace, an enterprise social network from Facebook.
In Workplace, the administrators can choose to activate an option called “self-invite”, which allows anyone to enter without having a verified email address by the admin.
Although, the server wasn’t correctly verifying the email used on registration, allowing the creation of accounts through an email that wasn’t verified by the administrator.
This could have allowed a malicious user to access a company’s Workplace environment. But, this was only possible if the company enabled the self-invite feature.
I was able to find this issue by analyzing network traffic on the “Workplace from Facebook” Android application.
- After registering a new account in my Workplace and revising Burp Suite history tab, I came across the following request:
After some tests with this endpoint, I concluded that was possible to create accounts in other Workplaces just by modifying “community_id”
Using a personal email account (@gmail.com), it was already possible to execute the vulnerability.
- Requesting Activation Code:
POST /at_work/accounts_send_notification HTTP/1.1
Activation code successfully received.
2. Create a Facebook Workplace account:
POST /at_work/accounts_self_invite HTTP/1.1
nonce: activation code from first step.
community_id: Target company’s community ID.
Boom! The account has been successfully created, and now the attacker has free access to the files, photos, groups, emails and other data from the target company.
Without counting employees exposure…
- The attacker had to have the ID from the target company’s community. This was possible to get through brute force, or with some ex-employee from the company.
- Some days after I received the bounty, I was able to find an endpoint which gives the community_id from any company in Workplace.
January 11, 2021 — Initial Report
January 25, 2021 — Triaged
February 9, 2021 — Bug Fixed
February 23, 2021 — Bounty awarded (27,5k)