Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public

Hi hello everyone, This is Guhan Raja

This blog is about how I found a Privilege Escalation Vulnerability in Facebook Workplace

Image for post
Image for post

I was testing Facebook domain for a long time and got some fleshy bugs. I reported it all to their security team. Some bugs are marked as Duplicate and some are Informative. I got frustrated and decided to give a try on their sub domains. I moved to Facebook Workplace

After surfing Facebook Workplace I came to know that I can’t post anything publicly. Facebook is similarly to Workplace so I copied the URL of editing privacy of my post in Facebook and replaced the “m.facebook.com” with “workplace.m.facebook.com” and “story id” , “profile id” parameters value with Workplace post “story id” , “profile id” and loaded the URL. Clicked on Public then I checked the Workplace Post

Wooooahhhh…Privacy of the post got changed as Public

Reported the issue to Facebook Security Team and I was rewarded 500$

POC Video:

Reported- May 26, 2018
Triaged- Jul 16, 2018
Rewarded- Jul 31, 2019
Fixed- Aug 6, 2019

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Guhan Raja (குகன் ராஜா)

Written by

Web Application Pentester

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Guhan Raja (குகன் ராஜா)

Written by

Web Application Pentester

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store