Kassem Bazzoun

Published On: 09 May 2019

Sending a customized and non-rate limits SMS to any phone number on behalf of Facebook

Other
Facebook | Web
---
LOW VALID
Description

Using a premium Workplace Account (Admin panel), we are able to send a customized SMS to any phone number and with no rate limits. Note: the SMS is 100% sent from Facebook Server and no other third part or script are used .

Impact

This could have allowed a malicious user to spam SMS messages to arbitrary users and potentially phish users and increase cost to the company.




Reproduction Steps

Step
1

You should have a premium Workplace Account and then go to the Admin Panel

Show Image

Step
2

Enter the people section in the left side then “Add Person

Show Image

Step
3

Add the email and phone number of the victim

Show Image

Step
4

we have added a new user and status should be“invited” so choose the “three point” and send a claim notification option

Step
5

choose “Send claim notification

Show Image

Step
6

Then choose “ All unclaimed accounts

Show Image

Step
7

This is to send an email instruction but wehave to do some trick to send an SMS instead ofemail (SMSoption is not showing in the UI ).Type anything in the message(this message will  noti ncluded in our SMS)then Intercept the request and tap “send button

Show Image

Step
8

change the value SMS to TRUE,this is to tell the server to send anSMSto the phone number of the victim

POST /atwork/async/send_confirmation_all/?dpr=1.5 HTTP/1.1Host: workplace.facebook.comConnection: closeContent-Length: 576

email_custom_text=anything&email=false&sms=true&unclaimed_within_department&unclaimed_for_manager&users_to_send&__user=100028254561229&__a=1&__dyn=5V8WXxa-cxp2u6aJei9FxqewRyWzEsheC267Uqzob4q6oF1q13wFw_x-ewSxumeK7EiwhUlwxz8S2S4okw-Dwxxu1PyoiyEqx60xU5SF82Nxi13wDw-CK6ooxu3a1lwRyUvy88E6W78jG48423648y4Ehyo8K2y6-3CcGEbo8lCwo87e7ouzHAye1iyEiwTxe3-2i&__req=cp&__be=1&__pc=PHASED%3ADEFAULT&__rev=4282274&fb_dtsg=AQGyUiM0WegT%3AAQEhjeNz_z9i&jazoest=2658171121851057748871011038458658169104106101781229512257105&__cid=262318221066636&__spin_r=4282274&__spin_b=trunk&__spin_t=1536195578

 

Show Image

Step
9

The result: a messageis received fromFacebook with this form

[company name ] has set up workplace for you

What if we change the company name to our message?

Show Image

Step
10

Going back to the Admin Panel,and go the “preferences“, I Noticed that we are able to put a strange company name with more than 30 characters ( including a link ) so we can type a good message in the company name so we will use the“company name”as our message :D note that no limits for how many times we change the “ company name “ 

Show Image

Step
11

I type this message including the name of my website,then save the company name

Show Image

Step
12

Now re-send an SMS message ( same steps mentioned above)

Show Image

Step
13

Another Example :) Click on show image 

Show Image

Videos

Timeline
.
Kassem 07 Sep 2018

Initial Report

.
Facebook 11 Sep 2018

Pre -Triage Thank you for your submission. We've managed to reproduce your report and will get back to you once we have had a chance to investigate.

.
Facebook 12 Sep 2018

Triage Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 18 Dec 2018

Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

.
Kassem 18 Dec 2018

Confirmation

.
Facebook 20 Dec 2018

Bounty Awarded This could have allowed a malicious user to spam SMS messages to arbitrary users and potentially phish users and increase cost to the company.

VALID






Show All Images