Home

Jun 27, 2016

Critical Vulnerability on Facebook Lets You Delete Any Video You Want

authorarticle: Master3395
logo-facebook.png
video: 
youtube: 
sources: 
keywords: 
Category: IT
Posted by: Admin

A security researcher from India, named Pranav Hivarekar discovered a critical vulnerability on Facebook’s website that allowed him to delete any video of his choice.

A security researcher from India, named Pranav Hivarekar discovered a critical vulnerability on Facebook’s website that allowed him to delete any video of his choice.

The vulnerability was in a new feature Facebook added to its service earlier this month. The added feature is the ability to post videos in the comment section on other Facebook posts.

Bug is due to “a flaw in logic”

According to the researcher, after messing around with some Facebook API requests, he was easily able to delete any video uploaded on the platform based on its video ID.

“This bug is proof of flaw in logic rather than daily technical flaws which we see like  SSRF, RCE, etc.,” the researcherexplains.

According to Hivarekar the issue, is that when a user uploads a video in comments, the video is first uploaded to their Facebook profile and is given a video ID, then it is attached to the desired post based on that video ID given earlier.

Facebook forgot to add permission checks to the delete operation

During his tests, Hivarekar discovered that he can create a comment using the Facebook API, he can then send another API request to attach any video ID from any user as the comment, and he can later use another API request and delete the comment.

Since the ID of video was attached to the comment, the video was removed as well with the comment. The researcher says that Facebook’s employees forgot to add permission check to see if the person who is deleting the comment was the owner of the comment and also the owner of the video or not.

Hivarekar added that he reported the issue to Facebook using the company’s bug bounty program held on June 11, just two days after the video commenting feature went live.

Facebook managed to release a temporary fix just after 23 minutes and patched the bug once and for all 11 hours later. For his extremely critical bug, the researcher states Facebook gave him a five-digit bug bounty reward.

authorarticle: Master3395
logo-facebook.png
video: 
youtube: 
sources: 
keywords: 

Comments:

comments powered by Disqus

Return

Sponsored Ads:

Discord

Page 1 of 586  >  >>

Microsoft may have solved customers' console chaos if they did this

xbox.webp

Nov 27, 2020 | Category: Microsoft | Comments

During a lengthy interview with The Verge, Phil Spencer reveals that the Xbox team has been thinking about how to solve the pre-order chaos.

read more…

Microsoft discounts M365 Business Premium by 25%

Microsoft.jpg

Nov 26, 2020 | Category: Microsoft | Comments

Citing "Small Business Saturday," an upcoming American Express-created promotional event, Microsoft is cutting Business Premium's per-user per-month cost to $15.

read more…

Now Chrome extensions have to answer for themselves

chrome.webp

Nov 25, 2020 | Category: Google | Comments

From January next year, Google will require extensions to Chrome to explain what user data is used for.

read more…

Page 1 of 586  >  >>