Workplace from Facebook | Unauthorized access to companies environment

Hello Everyone,

In this article, I will be describing a serious vulnerability I found in Workplace, an enterprise social network from Facebook.



Although, the server wasn’t correctly verifying the email used on registration, allowing the creation of accounts through an email that wasn’t verified by the administrator.

This could have allowed a malicious user to access a company’s Workplace environment. But, this was only possible if the company enabled the self-invite feature.



  • After registering a new account in my Workplace and revising Burp Suite history tab, I came across the following request:

After some tests with this endpoint, I concluded that was possible to create accounts in other Workplaces just by modifying “community_id”

Using a personal email account (, it was already possible to execute the vulnerability.

Reproduction Steps:

POST /at_work/accounts_send_notification HTTP/1.1

Activation code successfully received.

2. Create a Facebook Workplace account:

POST /at_work/accounts_self_invite HTTP/1.1
  • nonce : activation code from first step.
  • community_id : Target company’s community ID.


Boom! The account has been successfully created, and now the attacker has free access to the files, photos, groups, emails and other data from the target company.

Without counting employees exposure…



  • The attacker had to have the ID from the target company’s community. This was possible to get through brute force, or with some ex-employee from the company.
  • Some days after I received the bounty, I was able to find an endpoint which gives the community_id from any company in Workplace.


Thank you for taking the time to read my article

My Twitter profile:

Brazilian 19 years old