Introduction
In Facebook workplace, there is an option called “Safety Check” where admins of workplace can add their users as “Safety operator” which lets you report your status during a crisis, for more details about “Safety Check” see this link https://web.facebook.com/workplace/features/safety-check?_rdc=1&_rdr
The finding
The functionality responsible for processing the “add users” request is susceptible to an “Insecure Direct Object Reference” (IDOR) vulnerability within the “operator_ids” parameter. This flaw enables an attacker to arbitrarily include any user as a “Safety operator” in the “Safety check” feature. Consequently, the attacker gains the ability to add users from external sources, including those outside the company’s workplace and from the primary Facebook website “facebook.com.”
This vulnerability further permits the attacker to exploit the “notifications” mechanism, allowing them to send messages to any user without the risk of being blocked. This exploitation becomes especially potent as it enables the attacker to send messages from the workplace context, evading potential security measures.
Reproduction Steps
1: The attacker initiates the process by navigating to https://workplace.facebook.com/ and logging into their account.
2: In the admin panel, accessible through “Admin panel” ==> “People” or via the link https://workplace.facebook.com/work/admin/employees_manager/?filters[accountStatus][operator]=enumSetIs&filters[accountStatus][values][0][value]=invited&filters[accountStatus][values][1][value]=awaitingInvitation&filters[accountStatus][values][2][value]=claimed, the attacker proceeds to manipulate user details.
3: Selecting “More options” ==> Edit Personal Details ==> Within the name tab, the attacker inserts a customized message (intended for other users). In this instance, the message is set as “You got pwned by JubaBaghdad ;)” ==> Save Changes ==> Confirm.
4: The attacker navigates to the “safety check” section by visiting https://workplace.facebook.com/work/admin/safety_check/ ==> Adds a safety operator ==> Chooses any user from their company ==> Intercepts the request using Burp Suite ==> Finalizes the action.
5: Upon inspecting the post request, the attacker identifies a vulnerable section:
POST /api/graphql/ HTTP/1.1
Host: workplace.facebook.com
...other parameters...
variables={"input":{"client_mutation_id":"1563396993285:2071896173","actor_id":"100028780260452","operator_ids":["100028780260452"]}}
doc_id=2211145648957994
The vulnerability lies in operator_ids":["100028780260452"].
6: The attacker manipulates the request by changing the ID value of operator_ids from their own to the victim’s ID, in this case, “Sarmad Hassan” with the ID “100015771374169”. The modified request appears as operator_ids":["100015771374169"].
7: Once the altered request is forwarded to the server, the victim, Sarmad Hassan (user ID 100015771374169), receives a notification from the attacker with the message: “You got pwned by JubaBaghdad ;)”
Victim’s Perspective:
7: Sarmad Hassan (victim) receives a notification from the attacker stating, “You got pwned by JubaBaghdad ;).” Unfortunately, the victim is unable to prevent these notifications or block the attacker within the facebook domain. The inability to block the attacker is compounded by the fact that the attacker operates within the workplace domain, making traditional measures ineffective.
My observations:
- Examining the vulnerable parameter in the post request, specifically “operator_ids”:[“100028780260452”]}, it employs an “array []”. This aspect becomes exploitable for the attacker, who can manipulate this array to include hundreds or even millions of user IDs. Consequently, Facebook users may receive notifications from the attacker, such as “You got pwned by JubaBaghdad,” creating a widespread impact.
- The potential exploits of this vulnerability extend beyond sheer numbers. Social engineering tactics become viable for the attacker, leveraging these notifications to trick Facebook users. This method introduces an additional layer of risk, as users may unwittingly engage with malicious content presented through these deceptive notifications.
- The versatility of the “array []” mechanism is particularly noteworthy. This allows the attacker to target numerous users in a single request, amplifying the efficiency of their malicious activities. The ability to broadcast messages to a large audience simultaneously enhances the severity of this vulnerability, demanding urgent attention to mitigate potential harm and uphold system security.
Timeline
Sarmad | 18 Jul 2019
- Initial Report
Meta Bug Bounty | 18 Jul 2019
- Report Triaged
Meta Bug Bounty | 04 Aug 2019
- Issue Resolved
Sarmad | 06 Aug 2019
- Fix Confirmed
Meta Bug Bounty | 15 Aug 2019
- Bounty Awarded