Facebook flaw allows any user to delete any video from anybody’s FB post
A Facebook vulnerability allows you can delete any videos on Facebook in any users timeline by abusing a ‘logic flaw.’ The critical vulnerability was discovered by a Indian security researcher, Pranav Hivarekar, who found that the flaw allowed him to delete any video he wanted.
Pranav says that he was intrigued by the new video uploads in comments feature unveiled earlier this month by Facebook. “I came across a note New: Videos in Comments! written by Bob Baldwin who works at Facebook. This note was about Facebook launching it’s new feature of commenting using videos. eg. Now, users were allowed to upload a video in comments,” he says.
He started fiddling around with the Facebook APIs and found that he was able to delete any video uploaded on the platform, based on its video ID. “This bug is proof of flaw in logic rather than daily technical flaws which we see like RCE, SSRF, etc.,” the researcher explains.
Pranav found that when a user uploads a video as a comment, the video is uploaded to his Facebook profile, it’s given a video ID, and then attached to the desired post based on that video ID. However, during this operation Facebook forgot to add permission checks to the delete operation. In his tests, the researcher discovered that he could create a comment via the Facebook API, he could then send another API request to attach any video ID from any user as the comment, and he could later use another API request to delete the comment.
Now since Facebook has not added any API for deleting the video requests, he could easily abuse it to delete the video.
Proof Of Concept
1.Create a comment on a post via API.
Api call :
POST /< post id>/comments?message=test
2.Edit the comment and attach a VIDEO of your choice via API.
Video id : 1739331926310614 (Video to be deleted)
Api call :
POST /< comment id>?attachment_id=1739331926310614
Video added as a comment.
3.Delete the comment. Wait 20 secs. (As it takes 20 secs to DELETE the video from Facebook’s server.)
Api call :
DELETE /< comment id>
This will delete the video.
Pranav reported the issue to Facebook through its bug bounty program on 11th June, two days after the video commenting feature was activated. Facebook issued a temporary fixed after only 23 minutes, and later patched the bug for good after 11 hours.
Pranav was awarded a five digit bug bounty reward by Facebook for his research.