Description:
Attack can perform substring search for emails even if Workplace admin hides email profile field.
As admin From the Admin Panel, goto Settings >> Profile fields >> on Email field Turn visibility off.
Bug 1 : Reward $1000
===
Login as non-admin user in Workplace4Android
1. Connect workplace installed mobile to PC with usb debugging enabled
2. Run ADB command from terminal :
adb shell am start -d “fb-work://at_work_company_dashboard_manage_people”
3. Workplace launches “Manage People” activity
4. In search box perform any email search query like “@yahoo.com” “@gmail.com” “or random full email in result user associated with searched email will appears.
5. In this dashboard we can also get Claimed/Deactivated/Invited users.
Bug 2 : Reward $1000
===
In workplace web As non-admin user
1. Goto Directory >> Search box
2. In search box perform any email search query like “@yahoo.com” “@gmail.com” “or random full email in result user associated with searched email appears as result.
Timeline:
Bug 1:
05/October/20 : Submitted
14/October/20 : Resolved
Bug 2:
18/August/20 : Submitted
16/September/20: Resolved