Post

Perform substring search for emails even if Workplace admin hides email profile field.

Posted
By Rahul Kankrale
1 min read

Description:
Attack can perform substring search for emails even if Workplace admin hides email profile field.

As admin From the Admin Panel, goto Settings >> Profile fields >> on Email field Turn visibility off.

Bug 1: Reward $1000
Login as non-admin user in Workplace4Android

  1. Connect workplace installed mobile to PC with usb debugging enabled
  2. Run ADB command from terminal:
    1

    adb shell am start -d “fb-work://at_work_company_dashboard_manage_people”
  3. Workplace launches Manage People activity

  4. In search box perform any email search query like @yahoo.com @gmail.com or random full email in result user associated with searched email will appears.

  5. In this dashboard we can also get Claimed/Deactivated/Invited users.

Bug 2: Reward $1000 In workplace web As non-admin user

  1. Goto Directory >> Search box
  2. In search box perform any email search query like @yahoo.com @gmail.com or random full email in result user associated with searched email appears as result.

Timeline:
Bug 1:

  • 05/October/20: Submitted
  • 14/October/20: Resolved

Bug 2:

  • 18/August/20: Submitted
  • 16/September/20: Resolved
Android, Mobile
facebook-vulnerability workplace
This post is licensed under CC BY 4.0 by the author.