Facebook's Bug - Delete any video from Facebook
The story
I came across a note New: Videos in Comments!
written by Bob Baldwin who works at Facebook. This note was about Facebook launching it's new feature of commenting using videos.
eg. Now, users were allowed to upload a video in comments.
When I saw this note , at that time this video comment feature was already out 8 hrs ago. So, I started playing around and testing this feature to find out how it works. After, 2 hrs I was able to figure out some pretty interesting low impact flaws. Using these low impact flaws, I was able to form a bug to DELETE ANY VIDEO
At that time, I was like ...
Seriously, I am able to DELETE ANY VIDEO of my choice from FACEBOOK.
The Bug
This bug is proof of flaw in logic rather than daily technical flaws which we see like RCE, SSRF, etc.
Developers logic
When we upload a video as a comment, then this video gets uploaded onto user/page 's timeline and then it gets attached to the post as a video comment using it's video-id.
eg. When any user comments using a video on any random post, then video will first get uploaded to the user's timeline and then video-id will be returned. This video-id gets attached to the post as a video comment.
My attack Logic
I love API. So, I got to this via GraphAPI. Below is simple attack logic.
- Create a comment via api.
- Edit the comment and attach video of your choice using
video_idvia api. - Delete the comment via api.
This was removing the attached video using it's video-id.
Here, there are two simple flaws ...
- I am able to attach anyone's
videoto my comment using it'svideo-id. - When I delete my
comment, then attachedvideogets deleted. As it uses ONLYvideo-idand there are no permission checks placed to verify if theuserowns thevideo. Assumptions are made thatuserwill ONLY upload/attach his/her own videos.
Proof Of Concept
1.Create a comment on a post via API.
Api call :
Reference: (https://developers.facebook.com/docs/graph-api/reference/object/comments/)
POST /< post id>/comments?message=test
2.Edit the comment and attach a VIDEO of your choice via API.
Video id : 1739331926310614 (Video to be deleted)
Api call :
Reference: (https://developers.facebook.com/docs/graph-api/reference/v2.6/comment)
POST /< comment id>?attachment_id=1739331926310614
Video added as a comment.
3.Delete the comment. Wait 20 secs. (As it takes 20 secs to DELETE the video from Facebook's server.)
Api call :
Reference: (https://developers.facebook.com/docs/graph-api/reference/v2.6/comment)
DELETE /< comment id>
This will delete the video.
This vulnerability was temporarily fixed by Facebook team in 23 minutes after confirmation of flaw.
Permanent fix was live in 10-12 hrs after that.
Kudos to Facebook. :)
How I got this hit ?
I have been following some youtube channels, some great books and some other material which I mentioned in this note on my page to improve my life. The book "The Power Of Subconscious Mind " mentioned in my note is really life changing and have some really cool techniques to take you to whole new level. I recommend everyone to read this book who wants to acheive great things in their life.
Also, it's worth mentioning that it took me more than 1.5 years to find this high-impact bug.
Follow this :
Special Thanks
I would like to thank all my friends, well-wishers and everyone around me who plays an important role of motivating me. Also, Facebook Security Team to patch this bug before it goes into wrong hands.
Timeline
June 10, 2016 at 3:53pm - Report Sent
June 10, 2016 at 8:36pm - Initial Response by Facebook
June 10, 2016 at 8:51pm - My Response to Facebook
June 10, 2016 at 10:11pm - Bug Confirmed by Facebook
June 10, 2016 at 10:31pm - My Response to Facebook
June 10, 2016 at 10:34pm - Temporary fixed applied by Facebook
June 10, 2016 at 10:44pm - My Response to Facebook
June 11, 2016 at 9:05am - Bug fixed and response by Facebook
June 11, 2016 at 9:55am - Confirmation of fix by me
June 11, 2016 at 10:28am - Confirmation of fix by Facebook
June 11, 2016 at 10:35am - Messages exchanged
June 15, 2016 at 1:20am - Messages exchanged
June 20, 2016 at 9:03pm - Asked about bounty decision
June 23, 2016 at 1:13am - 5 digits bounty awarded