Researcher gets a five-digit reward from Facebook

Jun 25, 2016 01:40 GMT  ·  By

Pranav Hivarekar, a security researcher based in Pune, India, discovered a critical vulnerability on Facebook's platform that allowed him to delete any video he wanted.

The problem was in a new feature Facebook added to its service at the start of the month, as the ability to post videos as comments on other Facebook posts.

Researcher says the bug is "a flaw in logic"

The researcher claims that, after fiddling around with some Facebook API requests, he was able to delete any video uploaded on the platform, based on its video ID.

"This bug is proof of flaw in logic rather than daily technical flaws which we see like RCE, SSRF, etc.," the researcher explains.

The issue, according to Hivarekar, is that when a user uploads a video as a comment, the video is uploaded to their Facebook profile, is given a video ID, and then attached to the desired post based on that video ID.

Facebook forgot to add permission checks to the delete operation

In his tests, the researcher discovered that he could create a comment via the Facebook API, he could then send another API request to attach any video ID from any user as the comment, and he could later use another API request to delete the comment.

Since the video ID  was attached to the comment, the video was removed as well. Hivarekar says that Facebook's employees forgot to add permission checks to see if the person deleting the comment was the owner of the comment and the owner of the video.

The researcher adds he reported the issue to Facebook via the company's bug bounty program on June 11, two days after the video commenting feature went live.

Facebook released a temporary fix after only 23 minutes and later patched the bug for good after 11 hours. For his extremely critical bug, the researcher states Facebook gave him a five-digit bug bounty reward.