IT | Jun 27, 2016 | Master3395
A security researcher from India, named Pranav Hivarekar discovered a critical vulnerability on Facebook’s website that allowed him to delete any video of his choice.
The vulnerability was in a new feature Facebook added to its service earlier this month. The added feature is the ability to post videos in the comment section on other Facebook posts.
Bug is due to “a flaw in logic”
According to the researcher, after messing around with some Facebook API requests, he was easily able to delete any video uploaded on the platform based on its video ID.
“This bug is proof of flaw in logic rather than daily technical flaws which we see like SSRF, RCE, etc.,” the researcherexplains.
According to Hivarekar the issue, is that when a user uploads a video in comments, the video is first uploaded to their Facebook profile and is given a video ID, then it is attached to the desired post based on that video ID given earlier.
Facebook forgot to add permission checks to the delete operation
During his tests, Hivarekar discovered that he can create a comment using the Facebook API, he can then send another API request to attach any video ID from any user as the comment, and he can later use another API request and delete the comment.
Since the ID of video was attached to the comment, the video was removed as well with the comment. The researcher says that Facebook’s employees forgot to add permission check to see if the person who is deleting the comment was the owner of the comment and also the owner of the video or not.
Hivarekar added that he reported the issue to Facebook using the company’s bug bounty program held on June 11, just two days after the video commenting feature went live.
Facebook managed to release a temporary fix just after 23 minutes and patched the bug once and for all 11 hours later. For his extremely critical bug, the researcher states Facebook gave him a five-digit bug bounty reward.