A serious vulnerability in the Facebook platform could allow an attacker to delete Live Videos. The researcher who found this flaw also detected two more bugs affecting Facebook Live Videos and business pages.
Facebook Vulnerability Affecting Live Video
Reportedly, a security researcher Ahmad Talahmeh spotted a major vulnerability in a Facebook Live Videos feature.
As specified in his blog post, the vulnerability resided in the trim feature that ideally lets a video owner trim the video. However, due to the flaw, it became possible for anyone to trim the video to up to 5 milliseconds. Such unauthorized trimming to a seemingly zero video duration resulted in the irreversible deletion of the video.
To exploit the bug, an attacker simply had to have the target user’s live video ID, the current user ID, and the code for the request for video trimming.
Stating the impact of the flaw, the researcher stated,
Anyone can trim/untrim any live video on Facebook. Trimming video to 5 milliseconds will cause the video to be 0 seconds long and the owner won’t be able to untrim it.
Upon detecting the bug, Talameh reached out to Facebook, following which, the tech giant triaged the bug within 2 hours.
For reporting this flaw, the researcher won $11,000 bounty via the BountyCon 2020, followed by two additional bounties of $1150 and $2300 from Facebook.
Two More Facebook Flaws Also Found
Soon after disclosing the above-mentioned vulnerability, the researcher disclosed two more vulnerabilities affecting the Facebook platform.
One of these bugs could allow a user with an analyst role to a Facebook business page to update its FYI message. As explained in his post, a user with analyst role ideally has read-only permissions. It means that the bug allowed authorized modification of the FYI message.
Following his report, Facebook patched the bug within 10 hours and rewarded Talameh with a $750 bounty.
Whereas, the second vulnerability also affected the Facebook Live Video feature, allowing untrimming of a video by an attacker. As described in his post, where he also shared the PoC,
This could let a malicious user untrim any live video on Facebook using non GraphQL.
Fortunately, Facebook also swiftly patched the vulnerability within 6 hours, thus protecting the users.