Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Workplace is a self-managed Facebook for an enterprise environment. Having access to this is a privilege based upon the requirements set by the administrator.

When creating an account, the server was not correctly verifying the email used on registration if the self-invite feature was turned on. For example, only employees with @domain.com should be able to self-register. This is a horrible bug that allows for anybody to join the organization.

An attacker needed to know the community_id in order to launch this attack. However, the author of this post found a way to link an id to a company, making this a little more impactful.

This is unbelievable that this simple bug existed in Facebook Workplace. Does Facebook do internal pentests? I really hope they do! Bugs like this seem to be all over the place.