Facebook Bug Allowed Hacker to Delete Any Video


Facebook has patched a serious security flaw that would have allowed hackers to delete any video uploaded in comments on someone's Facebook post.

The critical vulnerability on Facebook's platform was discovered by Indian security researcher Pranav Hivarekar, who was able to delete any video of his choice by abusing this logic flaw.

The issue actually resided in the new

video comment

feature Facebook added to its service at the start of the month, which allows Facebook users to post videos as comments on Facebook posts.

A Simple Logic Flaw Allowed Removal of Any Video 

The vulnerability, according to Hivarekar, was a logic flaw rather than a technical flaw like Remote Code Execution (RCE) or Server-Side Request Forgery (SSRF).

According to Hivarekar, when a Facebook user uploads any video as a comment, the video is uploaded onto his Facebook timeline and is given a video ID. This video is then attached to the desired Facebook post based on that video ID.

After playing around with some Facebook API (Application Program Interface) requests, Hivarekar was able to delete any video uploaded as a comment on the platform, based on its video ID.

Here's How to Delete Any Video from Facebook

The researcher used a simple attack logic to do so:

Created a comment using the Facebook API.

Sent another API request to attach any video ID from any user as the comment.

Then use another API request later to delete the comment.

Since the video ID was attached to his comment, the video also got deleted with the removal of Hivarekar comment.

What went Wrong?

According to Hivarekar, Facebook forgot to add permission checks to verify if the user deleting a particular comment was the owner of that comment and the owner of the attached video.

"There are no permission checks placed to verify if the user owns the video," Hivarekar said in his blog post. "Assumptions are made that user will ONLY upload/attach his/her own videos."

Hivarekar reported the issue to the Facebook's bug bounty team on June 11, and within 23 minutes, Facebook released a temporary fix for the issue, and later completely patched the bug after 11 hours.

The researcher also says the social media giant rewarded him a five-digit bug bounty for his efforts.



from The Hacker News http://ift.tt/28TDJPW