Vertical Privilege Escalation in Facebook’s Workplace!

February 26, 2021

Hello, I’m Shubham and I have decided to share my finding on one of Facebook’s products “Workplace”!

More about Workplace!

Workplace is a communication tool that connects everyone in your company, even if they’re working remotely. Use familiar features such as Groups, Chat, Rooms, and live video broadcasting to get people talking and working together.

Let’s discuss Privilege Escalation. What is it? Impact?

Privilege escalation happens when a malicious user exploits a bug, design flaw, or configuration error in an application or operating system to gain elevated access to resources that should normally be unavailable to that user. Attackers start by exploiting a privilege escalation vulnerability in a target system or application, which lets them override the limitations of the current user account. They can then access the functionality and data of another user (horizontal privilege escalation) or obtain elevated privileges, typically of a system administrator or other power user (vertical privilege escalation). Such privilege escalation is generally just one of the steps performed in preparation for the main attack.

User access controls, permissions, privilege levels, etc play a huge role in a big enterprise where security is the utmost priority. Hence, in case of a breach, the main goal is to minimize the damage as much as possible. One policy to protect the systems is to implement the Principle Of Least Privilege, where only a bare minimum amount of permissions are given to a user which will allow them to do their work. 

THE BUG:

So, Let’s get into it! While testing I noticed that there was a lack of authorization checks while removing an employee from the frontline.

Frontline is a set of features designed to help you better connect and communicate with people who work away from a desk.

The new feature has been released by the workplace where employees can be added as front-line workers. This bug could allow a malicious user to add and/or delete the employee from the frontline Feature. Fascinating, isn’t it? This happened because the server does not validate the graphql request properly and even lower privileged users can add and/or remove the employee from the frontline. A similar case was present while adding the users in the frontline but for the sake of this post let’s just concentrate on the deletion part!

The following Images show, there was no access given to the frontline feature for the Lower user.

A lower privileged user is not given access to the frontline.
The following Burp response shows a lower privileged user was able to remove the employee from the frontline!
 
A successful request for deletion from the lower privileged user.

For a clear understanding, the Only super admin can add or remove frontline employees.(By default)

Steps For Reproduction:
Send the POST request https://www.facebook.com/api/graphql/ with appropriate POST body using lower privileged user! 

The vulnerable friendly API name: WorkAdminUserSetsRemoveMemberMutation

POST Body:
av=attacker-id&__user=attacker-id&__a=1&__dyn=[snip]&__csr=&__req=29&__beoa=0&&__comet_req=0&fb_dtsg=[csrf-token]&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=WorkAdminUserSetsRemoveMemberMutation&variables={“input”:{“client_mutation_id”:”1″,”actor_id”:”[admin-id]”,”member_id”:”[victim-id]”,”scim_company_group_id”:”2947554512010005″}}&server_timestamps=true&doc_id=1511390798990236

Sending the graphql request with the above friendly API name and post body using a lower privileged user makes the request successful and deletes the employee from front-line membership.

If you are wondering “How an attacker can get IDs?”, The answer is everything was available in the “Users” section.

Graphql API send “actor_id(admin_id), member_id(victim_id_the_one_you_want_to_delete), group_id” to the server but doesn’t check properly whether client is authorized or not.

Facebook’s Workplace comes with audit logs to keep a track of an incident. But the application does not capture any incidents of adding and deleting the employees which makes it more difficult for the victim to keep a track of the frontline.

What makes this bug more interesting is that the “frontline” feature is an add-on to all subscriptions Facebook’s customers can have. Meaning they have to pay more money to facebook if a new user is added to the frontline workers.

IMPACT:

This could allow a malicious actor to add and/or remove an employee from the frontline, affecting the availability of that feature to use for a user.
This could also affect the customers of Facebook for paying more than what is expected.

Unfortunate Timeline:

  • 31 July 2020 at 18:38 — Bug Reported
  • 4 August 2020 at 18:19 — Managed to reproduce {Facebook}
  • 21 August 2020 at 17:22 — More details asked {Facebook}
  • 22 August 2020 at 03:04 — More details provided
  • 17 September 2020 at 05:03 — Bug patched by {Facebook}
  • 22 September 2020 at 00:19 — Facebook Closed the bug as informative

For the people who are wondering, “why this is closed as informative?!”

One of the replies I got from Facebook’s Security team was,

“Hi Shubham,

Unfortunately, after much discussion that I’ve initiated, we still arrived at the conclusion that this still doesn’t meet the minimum impact bar. The reason for that is that while a user here can affect the pricing of the instance, they can also remove users from the instance which achieves the same. We understand that the only difference is that changing this people set doesn’t have logs but that on its own was deemed to be not sufficient in this case.

I understand this might be frustrating but I’d encourage you to keep looking for bugs and I’m sure you’ll find something that clearly is above the bar. Wishing you best of luck with your next submissions and looking forward to them 🙂

Thanks,”

At this point in my life, I still don’t know how they calculate the Impact! 🙃

What’s Next?

More writeups are coming! So stay tuned!

Reference:
https://www.netsparker.com/blog/web-security/privilege-escalation/

 

Get email Updates of a new blog post

Posted in Bug-bountyTags:
2 Comments
  • Vrushabh Doshi

    After reading your post I am really Disappointed by Facebook Bug Bounty Program.

    4:20 pm February 26, 2021 Reply
    • Luck plays a huge role sometimes! it doesn’t mean you will face the same! Try once at least. Best of Luck 🙂

      5:32 pm February 26, 2021 Reply
Write a comment