The story

I came across a note New: Videos in Comments!

written by Bob Baldwin who works at Facebook. This note was about Facebook launching it's new feature of commenting using videos .

eg. Now, users were allowed to upload a video in comments.

When I saw this note , at that time this video comment feature was already out 8 hrs ago. So, I started playing around and testing this feature to find out how it works. After, 2 hrs I was able to figure out some pretty interesting low impact flaws. Using these low impact flaws, I was able to form a bug to DELETE ANY VIDEO

At that time, I was like ...



Seriously, I am able to DELETE ANY VIDEO of my choice from FACEBOOK.

The Bug

This bug is proof of flaw in logic rather than daily technical flaws which we see like RCE, SSRF, etc.

Developers logic

When we upload a video as a comment , then this video gets uploaded onto user/page 's timeline and then it gets attached to the post as a video comment using it's video-id .

eg. When any user comments using a video on any random post, then video will first get uploaded to the user's timeline and then video-id will be returned. This video-id gets attached to the post as a video comment.

My attack Logic

I love API. So, I got to this via GraphAPI. Below is simple attack logic.

Create a comment via api. Edit the comment and attach video of your choice using video_id via api. Delete the comment via api.

This was removing the attached video using it's video-id .

Here, there are two simple flaws ...

I am able to attach anyone's video to my comment using it's video-id . When I delete my comment , then attached video gets deleted. As it uses ONLY video-id and there are no permission checks placed to verify if the user owns the video . Assumptions are made that user will ONLY upload/attach his/her own videos.

Proof Of Concept

1.Create a comment on a post via API.

Api call :

Reference: (https://developers.facebook.com/docs/graph-api/reference/object/comments/)

POST /< post id>/comments?message=test

2.Edit the comment and attach a VIDEO of your choice via API.

Video id : 1739331926310614 (Video to be deleted)

Api call :

Reference: (https://developers.facebook.com/docs/graph-api/reference/v2.6/comment)

POST /< comment id>?attachment_id=1739331926310614

Video added as a comment.

3.Delete the comment. Wait 20 secs. (As it takes 20 secs to DELETE the video from Facebook's server.)

Api call :

Reference: (https://developers.facebook.com/docs/graph-api/reference/v2.6/comment)

DELETE /< comment id>

This will delete the video.

This vulnerability was temporarily fixed by Facebook team in 23 minutes after confirmation of flaw.

Permanent fix was live in 10-12 hrs after that.

Kudos to Facebook. :)

How I got this hit ?

I have been following some youtube channels, some great books and some other material which I mentioned in this note on my page to improve my life. The book "The Power Of Subconscious Mind " mentioned in my note is really life changing and have some really cool techniques to take you to whole new level. I recommend everyone to read this book who wants to acheive great things in their life.

Also, it's worth mentioning that it took me more than 1.5 years to find this high-impact bug.

Follow this :



Special Thanks

I would like to thank all my friends, well-wishers and everyone around me who plays an important role of motivating me. Also, Facebook Security Team to patch this bug before it goes into wrong hands.

Timeline

June 10, 2016 at 3:53pm - Report Sent

June 10, 2016 at 8:36pm - Initial Response by Facebook

June 10, 2016 at 8:51pm - My Response to Facebook

June 10, 2016 at 10:11pm - Bug Confirmed by Facebook

June 10, 2016 at 10:31pm - My Response to Facebook

June 10, 2016 at 10:34pm - Temporary fixed applied by Facebook

June 10, 2016 at 10:44pm - My Response to Facebook

June 11, 2016 at 9:05am - Bug fixed and response by Facebook

June 11, 2016 at 9:55am - Confirmation of fix by me

June 11, 2016 at 10:28am - Confirmation of fix by Facebook

June 11, 2016 at 10:35am - Messages exchanged

June 15, 2016 at 1:20am - Messages exchanged

June 20, 2016 at 9:03pm - Asked about bounty decision

June 23, 2016 at 1:13am - 5 digits bounty awarded