Published On: 15 Aug 2019
Send messages through notification to facebook & workplace users without getting blocked
IDOR
Workplace | Web
---
LOW VALIDIn Facebook workplace, there is an option called "Safety Check" where admins of workplace can add their users as "Safety operator" which lets you report your status during a crisis, for more details about "Safety Check" see this link https://web.facebook.com/workplace/features/safety-check?_rdc=1&_rdr
Description
The request that handle "add users" is vulnerable to "IDOR" bug in "operator_ids" parameter where the attacker is able to add any user to the "Safety check" as "Safety operator", he can add users from outside the company in workplace and also can add users from main Facebook website "facebook.com".
Impact
This is allow the attacker to send messages through "notifications" to any user without getting blocked cause the attacker from workplace ;)
Reproduction Steps
Step
1
From the attacker Perspective:
====================
1- Attacker will go to https://workplace.facebook.com/ and will log in to his account.
Step
2
From the attacker Perspective:
====================
2- Attacker will go to "Admin panel" ==> "People" or he can browse to
https://workplace.facebook.com/work/admin/employees_manager/?filters[accountStatus][operator]=enumSetIs&filters[accountStatus][values][0][value]=invited&filters[accountStatus][values][1][value]=awaitingInvitation&filters[accountStatus][values][2][value]=claimed.
Step
3
From the attacker Perspective:
====================
3- Attacker will select on "More option" ==> Edit personal Details ====> in the name tab, the attacker will put his "message" (message that he will send to other users), in our case he will put "You got pwned by JubaBaghdad ;)" ===> Save changes ===> Ok.
Step
4
From the attacker Perspective:
====================
4- Attacker will go to "safety check" by browsing to https://workplace.facebook.com/work/admin/safety_check/ ===> Add safety operator ===> Select any user from his company ====> Intercept with Burpsuite ===> Done
Step
5
From the attacker Perspective:
====================
5- Attacker will see a post request like below :
POST /api/graphql/ HTTP/1.1
Host: workplace.facebook.com
av=100028780260452&......etc&variables={"input":{"client_mutation_id":"1563396993285:2071896173","actor_id":"100028780260452","operator_ids":["100028780260452"]}}&doc_id=2211145648957994
the vulnerable part is :
===============
variables={"input":{"client_mutation_id":"1563396993285:2071896173","actor_id":"100028780260452","operator_ids":["100028780260452"]}}
Where "operator_ids":["100028780260452"] is the vulnerable parameter.
Step
6
From the attacker Perspective:
====================
6- Attacker will change the id value of "operator_ids":["100028780260452"] to other user victim ID, user from facebook.com
in our case the victim is "Sarmad Hassan" his id is "100015771374169"
to be like this "operator_ids":["100015771374169"]
After that the attacker will forward the request to the server.
Note: attacker can target users from workplace too which are outside his community, he only need their user ID.
Step
7
From the victim perspective :
===================
7- Sarmad hassan (user id 100015771374169) will get a notification from "Attacker" like below :
"you got pwned by JubaBaghdad ;)"
Sarmad Hassan (victim) can't stop these notifications from the attacker, he can't block the attacker because he's from workplace.
My thoughts
1- If you take a look at the vulnerable parameter in the post request which is : "operator_ids":["100028780260452"]}} it is using an "array []", well the attacker can take advantage of this array part, he can put let's say hundreds or millions of user IDs , so imagine Facebook users get a notifications from the attacker as " You got pwned by JubaBaghdad" 2- There is many ways that the attacker can get advantage of this bug like "social engineering" by tricking Facebook users through these notifications. 3- My favorite part as I mentioned is the "array []", attacker can send to many users in one single request.
Videos
