Pranav Hivarekar, is a security researcher from India. The researcher discovered a critical vulnerability in his platform Facebook, which allowed him to delete any video he wanted.
The problem was a new Facebook feature that was added to the service at the beginning of the month, when the social network allowed the publication of videos and comments in other publications.
The researcher reports that with some tricks with some API requests to Facebook, he was able to delete any video uploaded to the platform, based on its ID.
"This error is the evidence that the logic is not correct and it is not some technical flaw that we see like RCE, SSRF etc," explains the researcher.
The subject, according to Hivarekar, is created when a user uploads a video as a comment. The video goes up in its profile on Facebook, and this gives it a specific ID. Then after posting to the desired location, there is this ID.
In his tests, the researcher found that he could create comments through the Facebook API, he could then send another API request to attach any video ID from any user to their comment. Of course after all that using another API request he could delete the comment.
Hivarekar reported that Facebook developers forgot to add controls to keep videos from people who did not upload the videos.
The researcher reported the vulnerability on Facebook through the bug program bounty on June 11, two days after the release of the new feature from the social network.
On the other hand Facebook provided a temporary solution after 23 minutes, and then fixed the error completely 11 hours later. For the extremely critical bug reported by the Facebook researcher, the social network rewarded him with a five-digit reward.