A new discovered Facebook flaw shows that cyber attackers can delete videos from anyone’s Facebook account without consent from the account user.
The new flaw, which uses the logic flaw and exploits it, makes it possible for users to delete any video from any account’s post or their timelines. Fortunately, the flaw was discovered by an Indian white hat hacker by the name of Pranav Hivarekar. He was the one who managed to discover that he could delete any video he wanted from Facebook.
Pranav said that the new video uploads comment section which Facebook recently rolled out to customers earlier this year had intrigued him and he was going through his Facebook when he saw a note about the inception of video commenting which was from an employee at Facebook by the name Bob Baldwin. He said that the note indicated that users could now comment on their friends’ posts and other posts on Facebook with videos. Users were now allowed to upload videos in the comment section he said.
He began to work on the technology and through the Facebook APIs, he managed to notice a flaw which allowed him to delete any video that might have been uploaded to the platform he was on. All this was dependent on the type of video ID that the uploaded videos had. Pranav explained that the bug he noticed was proof of flaw rather than the normal daily flaws which researchers notice such as the RCE, SSRF, and many others.
He noticed that users who uploaded videos as comments, the videos would be posted on their Facebook profile, after which it would be given a video ID. After that process, the video would them be attached to the desired post based on the video ID it had been given. This is where the problem is. Facebook forgot to add permission checks to the delete operation opening a wide door for hackers to exploit.
Pranav noticed in the researchers that he did that he could essentially create comments through the Facebook API and after that send a request for another API so as to attach any random video ID from any user as a comment on one of the posts. After this, he could then send another API request which would lead to the deletion of the video.
And since Facebook has not added the API for deleting video requests, any hacker or user could simply abuse it to delete any video comment they wanted.
After his research, Pranav reported the issue to Facebook. Facebook on its part acted promptly and swiftly to fix the problem for the program they had issued out two days earlier. They managed to patch the problem 23 minutes after it had been reported and patched the whole problem 11 hours later. Pranav submitted the problem thanks to the bug bounty program that Facebook has.
Reports indicate that he got a five-figure bounty reward and a big thank you from the Facebook people. Everyone thanks him for his research because work of white hat hackers like him has made it easier for the tech companies which employ the bug bounty program to give users a nearly flawless program.