Within hours after Facebook introduced a new feature that allows anyone to comment along with a video on another person’s post, this Pune techie spotted a loophole through which he can delete anybody’s video posts. He pointed out his discovery to Facebook and has won a reward, too.
As per general norms on Facebook, only the person who posted a video is allowed to delete it.
Pranav Hivarekar from the Indian state of Maharashtra wrote on his blog that he managed to figure out the flaw within two hours of the launch of the new feature. Using these flaws, he was able to form a bug to delete any video he wanted, Deccan Chronicle reported.
“This bug is proof of flaw in logic rather than daily technical flaws which we see like RCE, SSRF, etc,” he said on his post.
Since he loves to play around with APIs, he found a simple attack logic from GraphAPI. All he needed to do is create a comment via the API, then edit the comment and attach a video of your choice using the video ID and delete the comment via the API.
Using this flaw, he said, he could attach anyone’s video to his comment using the video ID. And when he deletes the comment, the video ID also gets deleted, which means, the original video also will be erased.
He has provided a proof of concept on his blog where he explains the necessary actions needed to do the required.
He got in touch with Facebook on June 10, 2016 and sent a report on his findings. He received a confirmation from Facebook’s developers in the same day and also was told that a temporary fix was applied on Facebook.