Become member of close & public group

this bug allow attacker to add him self as member to closed &public group using workplace platform

1 — go to workplace platform :

2 — create people set :

POST /api/graphql/ HTTP/1.1


3- add your work id to the set created:

POST /api/graphql/ HTTP/1.1


4- add your work profile to normal group (group not in :

POST /api/graphql/ HTTP/1.1


* normal_group * :is normal closed or public group in (not in workplace)

— — — — — — — — — — — — — — -
at this point work user can get notifications about new post and other notifications

but when visit :[normal_group] they redirect to[normal_group] to personal profile (not member in group)

- the solution : try to add personnel user to group from work platform

visit this link:

you see Invite via link:

visit link and you can join group as personnel user ( see all members ,create post …)


August 22, 2019 — Report Sent
September 4, 2019 — Acknowledged by Facebook
September 10, 2019 — Fixed by Facebook
October 16, 2019 — Bounty awarded by Facebook ($7500)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store