News Targeted


Category: IT|Jun 27, 2016 | Author: Admin

Critical Vulnerability on Facebook Lets You Delete Any Video You Want

A security researcher from India, named Pranav Hivarekar discovered a critical vulnerability on Facebook’s website that allowed him to delete any video of his choice.

A security researcher from India, named Pranav Hivarekar discovered a critical vulnerability on Facebook’s website that allowed him to delete any video of his choice.

The vulnerability was in a new feature Facebook added to its service earlier this month. The added feature is the ability to post videos in the comment section on other Facebook posts.

Bug is due to “a flaw in logic”

According to the researcher, after messing around with some Facebook API requests, he was easily able to delete any video uploaded on the platform based on its video ID.

“This bug is proof of flaw in logic rather than daily technical flaws which we see like  SSRF, RCE, etc.,” the researcherexplains.

According to Hivarekar the issue, is that when a user uploads a video in comments, the video is first uploaded to their Facebook profile and is given a video ID, then it is attached to the desired post based on that video ID given earlier.

Facebook forgot to add permission checks to the delete operation

During his tests, Hivarekar discovered that he can create a comment using the Facebook API, he can then send another API request to attach any video ID from any user as the comment, and he can later use another API request and delete the comment.

Since the ID of video was attached to the comment, the video was removed as well with the comment. The researcher says that Facebook’s employees forgot to add permission check to see if the person who is deleting the comment was the owner of the comment and also the owner of the video or not.

Hivarekar added that he reported the issue to Facebook using the company’s bug bounty program held on June 11, just two days after the video commenting feature went live.

Facebook managed to release a temporary fix just after 23 minutes and patched the bug once and for all 11 hours later. For his extremely critical bug, the researcher states Facebook gave him a five-digit bug bounty reward.

Sponsored Ads:

Comments:

Previous article >


Is a tablet for NOK 3,800 good enough? - "OnePlus Pad Go"

Category: IT|May 19, 2024 | Author: Admin

Microsoft is ending Edge support on computers without SSE3

Category: Microsoft|May 18, 2024 | Author: Admin

Gratulerer med 17. mai!

Category: General|May 17, 2024 | Author: Admin

Now many can try Android 15

Category: Google|May 16, 2024 | Author: Admin

Apple has released iOS 17.5

Category: Apple|May 15, 2024 | Author: Admin

Toshiba demonstrates 30TB+ HDDs using HAMR and MAMR technologies — customer sampling scheduled for 2025

Category: IT|May 14, 2024 | Author: Admin

Microsoft’s free PC optimizer makes it easier to free up storage space

Category: Microsoft|May 13, 2024 | Author: Admin

Stack Overflow Users Are Revolting Against an OpenAI Deal

Category: IT|May 12, 2024 | Author: Admin

ChatGPT is probably coming to the iPhone

Category: Apple|May 11, 2024 | Author: Admin

April Windows Server updates also cause crashes, reboots

Category: Microsoft|May 10, 2024 | Author: Admin

Apple skin braided after advertising stunt

Category: Apple|May 9, 2024 | Author: Admin

"RTX 5080 coming this fall"

Category: IT|May 8, 2024 | Author: Admin

Sorry, but it will stop on October 14, 2025

Category: Microsoft|May 7, 2024 | Author: Admin

Microsoft announces new security services and features for AI deployments

Category: Microsoft|May 6, 2024 | Author: Admin

Can force Facebook to allow it

Category: IT|May 5, 2024 | Author: Admin
more