Full Report
In April of 2022, Meta announced a Contract Point Deanonimization. These guidelines are bugs that enable matching of Uniquely Identifiable Information (UII) to User IDs. This goes from finding email addresses and linking that to a profile to many other things. Naturally, emails and other things are important for the login/signup process. So, with this new program, the author decided to take a look here. When passing an email to the password reset functionality, there is a masked email address. While playing around with the older domain of the Enterprise version of facebook (workplace), the author noticed some slightly different functionality on it. In particular, ONLY the email address and username were supported (not the phone number). On the old workplace domain, they tried passing valid Meta accounts but nothing worked. But, it was still using some of Facebook's account cookies, indicating that the two domains were somewhat linked. They started the flow on Facebook then used the cookies on the workplace domain. When they visited the page for entering the OTP the email was shown in an unmasked state. This is a perfect example of an information disclosure bug that this new program is trying to fix! The actual fix was to mask the email address on the reset page and only allow OTP validation to happen on the respected domain. Overall, it's a pretty neat bug! With these extremely large systems, the intermingling of services can cause problems. This is where the recon is incredibly important.
Analysis Summary
# Vulnerability: Contact Point Deanonymization via Legacy Workplace Domain
## CVE Details
- **CVE ID:** Not assigned (Publicly disclosed via Meta Bug Bounty program)
- **CVSS Score:** Estimated 6.5 (Medium) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- **CWE:** CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
## Affected Systems
- **Products:** Meta (Facebook) Core Infrastructure and Workplace by Meta
- **Versions:** All web versions prior to January 25, 2022
- **Configurations:** Accounts with a linked mobile number and a primary email address.
## Vulnerability Description
The flaw stems from inconsistent data masking across Meta's segmented domains. While the main Facebook password reset flow correctly masks User Identifiable Information (UII), a legacy/alternative Workplace domain (`work.facebook.com`) shared the same session cookies and backend logic but lacked the same UI masking constraints.
By initiating a password reset using a mobile number on the main Facebook domain and then navigating to the OTP (One-Time Password) entry endpoint on the Workplace domain, the system would display the victim's primary email address in an **unmasked state**. This effectively allowed for "Contact Point Deanonymization," where a publicly known identifier (phone number) could be used to retrieve a private identifier (email address).
## Exploitation
- **Status:** PoC available (Validated by Meta)
- **Complexity:** Low
- **Attack Vector:** Network
- **Pre-requisites:** Knowledge of the victim's mobile number. No active session/authentication is required to trigger the reset flow.
## Impact
- **Confidentiality:** **High** - Allows for the disclosure of private email addresses linked to Facebook accounts.
- **Integrity:** **None** - No data is modified.
- **Availability:** **None** - System availability is unaffected.
## Remediation
### Patches
Meta implemented a server-side fix across its ecosystem on **January 25, 2022**.
- All email addresses are now masked on password reset pages regardless of the domain (Facebook or Workplace).
- Domain-specific validation ensures that Workplace OTP endpoints only process Workplace-specific account requests.
### Workarounds
- There are no user-side workarounds as this was a server-side logic flaw. Users can limit exposure by removing mobile numbers from their public profiles, though this vulnerability bypassed profile privacy settings.
## Detection
- **Indicators of Compromise:** Unusual spikes in traffic to the password reset endpoints (`/recover/code/`), particularly when originating from the same IP address targeting multiple mobile numbers.
- **Detection Methods:** Organizations can monitor for automated "scraping" behavior that rotates through phone number lists to harvest linked email addresses.
## References
- **Vendor Advisory:** [Meta Bug Bounty Program Updates]
- **Original Research:** hxxps[://]lokeshdlk77[.]medium[.]com/contact-point-deanonymization-vulnerability-in-meta-90d575c4d8ef
- **Related Product:** hxxps[://]www[.]workplace[.]com/