Pranav Hivarekar


Facebook's API Bug - Add/Remove `videos` from `video playlists` using an `user access_token` with `public_profile` permissions

Posted by Pranav Hivarekar on Apr 03, 2015


The endpoint /{videolist_id}/videos is undocumented. So, we cannot find any real documentation
about this on developer's site. But still using analogy between other endpoints and this endpoint we can guess the working.

Facebook recently released new features for pages. This was the one. Now, we can upload videos on a page and then create a video playlist and arrange relevant videos for our audience. So, it gave really cool looks to our loved facebook pages.

Before folks were allowed to only upload videos to a page but creating video playlists was not offered. So, it was difficult for audience to navigate through video content. Also, it troubled page managers.

Now, using graph api, using an user access_token with public_profile permissions, it was allowed to add/remove videos from video playlists.

I researched and found an analogy between other endpoints. And in the end, I came to the conclusion that for dealing with pages or creating/editing contents on pages, it demands manage_pages permissions. And if we need to modify/edit the object then we must possess publish_pages permissions. So, this bug was good to go.

Proof Of Concept

  1. Post a video on a page.
  2. Go to page and create a new Video Playlist.
  3. Now, add the video to the Video Playlist you created.
  4. Now any app having user access_token with public_profile permissions, can REMOVE the video from playlist.

Request ( User access_token with public_profile permissions)

DELETE /638315639602275/videos?video_ids%5B0%5D=729336823853677&access_token=redacted


"success": true

The video got removed from video playlist. :D

My special thanks to Neal. :-) And Facebook's security team. :)


Mar 27, 2015 11:11pm – Report Sent
Mar 28, 2015 6:46am – Escalation by Facebook
Apr 2, 2015 12:48am – Asked about confirmation of fix
Apr 2, 2015 11:05am – Fixed confirmed by me
Apr 2, 2015 2:11pm – Bounty awarded by Facebook