Pranav Hivarekar, is a security researcher from India. The researcher discovered a critical vulnerability in Facebook's platform that allowed him to delete any video he wanted.
The problem was in a new Facebook feature added to the service earlier this month, when the social network allowed videos and comments to be posted on other posts.
The researcher reports that with some tricks with some API requests to Facebook, he was able to delete any video uploaded to the platform, based on its ID.
"This error is proof that the logic is not correct and is not a technical defect that we see such as RCE, SSRF, etc.," explains the researcher.
The subject, according to Hivarekar, is created when a user uploads a video as a comment. The video goes up in its profile on Facebook, and this gives it a specific ID. Then after posting to the desired location, there is this ID.
In his tests, the researcher found that he could create comments through the Facebook API, he could then send another API request to attach any video ID from any user to their comment. Of course after all that using another API request he could delete the comment.
Hivarekar reported that Facebook developers forgot to add controls to keep videos from people who did not upload the videos.
The researcher reported the vulnerability to Facebook through the program bug bounty on June 11, two days after the release of the new feature from the social network.
On the other hand Facebook provided a temporary solution after 23 minutes, and then fixed the error completely 11 hours later. For the extremely critical bug reported by the Facebook researcher, the social network rewarded him with a five-digit reward.