Unauthorized Access in Workplace by Facebook

We discussed this vulnerability during Episode 76 on 11 May 2021

Workplace by Facebook would allow workplace administrators to enable a “self-invite” option. Anyone with an email on an approved domain could invite themselves into the workplace. It however didn’t actually validate the domain on the request that created the invite. The author doesn’t indicate that it validates it at all, however it appears that there are probably multiple requests that happen before this one, so it is probably validated earlier in the chain. However by making the request directly, the invite did work.