Loading post ...
Kassem Bazzoun
Last Update: 07 Jun 2020 . 17:17 PM
in
Write ups
.
General in Facebook
Hello Community !
Note : it's logical issue and I didn't use any tool for doing it .
Workplace is a communication tool that connects everyone in your company, even if they’re working remotely. Use familiar features like Groups, Chat, Rooms and Live video broadcasting to get people talking and working together.
Read more : https://www.facebook.com/workplace
In 2018 , the registration in workplace was opened only for business emails ( e.g. @semicolonlb.net ) so any personal email (e.g gmail.com , hotmail.com ) wasn't allowed to register into workplace .
I started looking at the admin panel, and noticed that once you add a new user to your company you can claimed it manually , and there is an option to deactivate this account , once you deactivate it he will not be able to register via his business email again , and a message appeared that he should contact his Workplace representative .
for example I own semicolonlb.net, can I add a new user to my company that's belong to Facebook company fb.com ?
Unfortunately NO!
This message doesn't mean that this email is registered in another workplace , but it means that any email belongs to this domain isn't allowed since it's registered on workplace .
I tried to add an email that belongs to another business email , but this business email domain has no record in workplace ( means that no one has registered in workplace with this domain ). let's say an email belongs to an employee in abc.com , and since no one has registered in workplace with this domain I was able to add him in semicolonlb.net workplace admin panel .
The scenario that I reported it in 2018 was :
Prevent employees of an organization from joining workplace by banning their emails before joining their organization into the workplace by Facebook.
let's say someone from another company wants to ban [email protected] from registering into Workplace , taking into consideration that semicolonlb.net hasn't registered yet in workplace( no email belongs to semicolon is registered yet ) , the attacker will follow these steps on his admin panel to ban [email protected]
After adding the victim , deactivate this user
Once the victim wants to register into workplace he will see this message (Account closed ) , and he can't recover his email to re-register ( I tried forget password flow and didn't work ) , so this email got banned forever .
if someone from semicolonlb.net registered after banning [email protected] attacker can't reproduce the same scenario with another email ( since semicolonlb.net has a record in workplace ) and then attacker will not be able to add any email belongs to semicolonlb.net into his admin panel .
NOTE : After banning [email protected] I registered in workplace via semicolon domain and I verified it to get access to the admin panel , so I tried if the admin of semicolon can recover the email admin and found that we can't ..
so only attacker can unban [email protected]
this is the message if we try to add [email protected] into semicolon admin panel
I reported it to Facebook, they triaged it and closed it later as informative
Thanks for the submission. After chatting with the Workplace team, I've confirmed they are already aware of this behavior. The risk here is mitigated somewhat by the fact that people cannot provision users with domains that have been registered by another company. Of course, if this is done before a company is on Workplace that won't be prevented. However in that case the company could always reach out to our support team to handle cases like this.Given that, we don't feel that this behavior poses a significant privacy or security risk and would not qualify under our program.
After 1 year ( 13 APRIL 2019 ) , I noticed that the Workplace is now opened for personal email , means that anyone is able to register into workplace without using a business email , so you can use your gmail , hotmail account .
I remembered this report ! and decide to test if I can ban any personal email from registering into workplace ! I followed the same steps above and found that I can always ban any personal email ( if the email by itself isn't registered yet despite on the domain ) and found that I can!
Report triaged again , and closed later with this reply :
After consulting the Workplace product team, we have confirmed that they are already aware of the behaviour you describe in this report also. We use rate limiting as one of several controls in place to detect and prevent potential large-scale abuse here. In the case of people who sign up to Workplace with a personal email address (i.e. gmail.com or outlook.com), they can always sign up with an alias or secondary email account. If this is not possible or otherwise poses a significant blocker in their evaluation of Workplace, they can always reach out to Workplace Support to provision an evaluation environment.
I respect Facebook decision, but I didn't get satisfied by this reply , despite it has a low security impact or not , but a product that belongs to Facebook shouldn't accept behavior like this ! Anyone is able to ban any personal email ? :-( .... ok I agree that someone can register with an alias but in your opinion the normal users are all of them aware about aliases emails ? :-) , and I think any user has the right to use his personal email to register in any website without creating a new one !
Imagine you wants to register in Facebook with your personal email , and suddenly you'll see this message without any reason !
2 weeks ago , I noticed that this issue was fixed by allowing any email from registering even if someone from another workplace has deactivated it ( and this is the normal behavior ).
=========
Report Sent: Tuesday, September 18, 2018 at 3:32 AM
Pre-triage: Thursday, September 20, 2018 at 10:19 PM
Triaged : Saturday, September 22, 2018 at 12:10 AM
Closed as informative : Wednesday, October 24, 2018 at 6:56 PM
Re-opened : Saturday, April 13, 2019 at 4:09 PM
Facebook asked to submit a new report : Friday, January 31, 2020 at 12:13 AM
Submitting new report : Saturday, February 1, 2020 at 6:38 PM
Facebook asked for new details : Friday, February 7, 2020 at 4:56 PM
Thanks for writing in.I understand that you have submitted this report as a follow-up to #------------- . To help us investigate this further, I have a couple of questions:- Are you able to disable registration for all personal email addresses with a particular domain, or just for a single email address?- Can the victim use the password reset or account recovery flows to regain access and create a new Workplace account?
Replying Friday, February 7, 2020 at 7:58 PM
Closed as informative : Tuesday, February 18, 2020 at 5:51 PM
Thanks for your patience here.After consulting the Workplace product team, we have confirmed that they are already aware of the behaviour you describe in this report also. We use rate limiting as one of several controls in place to detect and prevent potential large-scale abuse here.In the case of people who sign up to Workplace with a personal email address (i.e. gmail.com or outlook.com), they can always sign up with an alias or secondary email account. If this is not possible or otherwise poses a significant blocker in their evaluation of Workplace, they can always reach out to Workplace Support to provision an evaluation environment.
