Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public

Hi hello everyone, This is Guhan Raja

This blog is about how I found a Privilege Escalation Vulnerability in Facebook Workplace

I was testing Facebook domain for a long time and got some fleshy bugs. I reported it all to their security team. Some bugs are marked as Duplicate and some are Informative. I got frustrated and decided to give a try on their sub domains. I moved to Facebook Workplace

After surfing Facebook Workplace I came to know that I can’t post anything publicly. Facebook is similarly to Workplace so I copied the URL of editing privacy of my post in Facebook and replaced the “m.facebook.com” with “workplace.m.facebook.com” and “story id” , “profile id” parameters value with Workplace post “story id” , “profile id” and loaded the URL. Clicked on Public then I checked the Workplace Post

Wooooahhhh…Privacy of the post got changed as Public

Reported the issue to Facebook Security Team and I was rewarded 500$

POC Video:

Reported- May 26, 2018
Triaged- Jul 16, 2018
Rewarded- Jul 31, 2019
Fixed- Aug 6, 2019


InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Guhan Raja (குகன் ராஜா)

Written by

Web Application Pentester

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade