Pranav Hivarekar, is a security researcher from India. The researcher discovered a critical vulnerability on the Facebook platform, which allowed him to delete any video he wanted.
The problem was in a new Facebook feature added to the service earlier this month, when the social network allowed videos and comments to be posted on other posts.
The researcher reports that with some tricks with some API requests to Facebook, he was able to delete any video uploaded to the platform, based on its ID.
"Αυτό το σφάλμα είναι η απόδειξη ότι η λογική δεν είναι σωστή και δεν είναι κάποια τεχνικά ατέλεια που βλέπουμε όπως RCE, SSRF κλπ," εξηγεί ο ερευνητής.
The subject, according to Hivarekar, is created when a user uploads a video as a comment. The video goes up in its profile on Facebook, and this gives it a specific ID. Then after posting to the desired location, there is this ID.
In his tests, the researcher discovered that he could generate comments through Facebook's API, he could then send another API request to attach any video ID from any user in his comment. Of course after all this using another API request could delete the comment.
Hivarekar mentioned that Facebook developers forgot to add controls to prevent videos from being deleted by people who didn't upload the videos.
The researcher reported the vulnerability to Facebook through the bug bounty program on June 11, two days after the social network launched the new feature.
On the other hand Facebook provided a temporary solution after 23 minutes, and then fixed the error completely 11 hours later. For the extremely critical bug reported by the Facebook researcher, the social network rewarded him with a five-digit reward.