Pranav Hivarekar, a security researcher based in Pune, India, has discovered a critical vulnerability on Facebook’s platform that allowed him to delete any video he wanted.
The problem was in aFacebook added to its service at the start of the month, as the ability to post videos as comments on other Facebook posts.
Researcher says the bug is “a flaw in logic”
The researcher says that after fiddling around with some Facebook API requests, he was able to delete any video uploaded on the platform, based on its video ID.
“This bug is proof of flaw in logic rather than daily technical flaws which we see like RCE, SSRF, etc.,” the researcher.
The issue, according to Hivarekar, is that when a user uploads a video as a comment, the video is uploaded to his Facebook profile, it’s given a video ID, and then attached to the desired post based on that video ID.
Facebook forgot to add permission checks to the delete operation
In his tests, the researcher discovered that he could create a comment via the Facebook API, he could then send another API request to attach any video ID from any user as the comment, and he could later use another API request to delete the comment.
Since the video ID was attached to the comment, the video was removed as well. Hivarekar says that Facebook’s employees forgot to add permission checks to see if the person deleting the comment was the owner of the comment, and the owner of the video.
The researcher says he reported the issue to Facebook via the company’s bug bounty program on June 11, two days after the video commenting feature went live.
Facebook issued a temporary fixed after only 23 minutes, and later patched the bug for good after 11 hours. For his extremely critical bug, the researcher says Facebook gave him a five-digit bug bounty reward.