Facebook recently updated its social networking platform with a new feature that allows anyone to comment along with a video on another person’s post. The change came as an advantage to more engaging and immersive conversations. Apart from videos, one can also post photos, stickers and emojis to. However, it seemed too good to be true as the new feature was also having a small flaw. The videos could be deleted, by anyone.
A security researcher from Pune managed to delete another person’s videos, which is usually allowed only by the person whose post it is. The Pune techie Pranav Hivarekar discovered the critical vulnerability on Facebook which allows him to delete any video he wanted.
According to a report filed by him on his own blog, he managed to figure out within the flaw within two hours of the launch of the new feature. Using these inpact flaws, he was able to form a bug to delete any video he wanted.
‘This bug is proof of flaw in logic rather than daily technical flaws which we see like RCE, SSRF, etc,’ he said on his post. ‘When we upload a video as a comment, then this video gets uploaded onto user/page 's timeline and then it gets attached to the post as a video comment using it's video-id. eg. When any user comments using a video on any random post, then video will first get uploaded to the user's timeline and then video-id will be returned. This video-id gets attached to the post as a video comment,’ he continues.
Since he loves to play around with APIs, he found a simple attack logic from GraphAPI. All he needed to do is create a comment via the API, then edit the comment and attach a video of your choice using the video ID and delete the comment via the API.
Using this flaw, he said, he could attach anyone’s video to his comment using the video ID. And when he deletes the comment, the video ID also gets deleted, which means, the original video also will be erased.
He has provided a proof of concept on his blog where he explains the necessary actions needed to do the required.
He got in touch with Facebook on June 10, 2016 and sent a report on his findings. He received a confirmation from Facebook’s developers in the same day and also was told that a temporary fix was applied on Facebook. After he confirmed the bug fix by testing it himself, he received a 5-digit bounty as a reward.
Facebook has patched the vulnerability for good within 11 hours.
