Pranav Hivarekar, is a security researcher from India. The researcher discovered a critical vulnerability on its platform Facebook, which allowed him to delete any video he wanted.
The problem was a new Facebook feature that was added to the service at the beginning of the month, when the social network allowed the publication of videos and comments in other publications.
The researcher reports that with some tricks with some Facebook API requests, he was able to delete any video uploaded to the platform, with base the identifier of the ID.
"This error is proof that the logic is not correct and is not a technical defect that we see such as RCE, SSRF, etc.," explains the researcher.
The theme, according to Hivarekar, is created when a user uploads a video as a comment. The video is uploaded to his Facebook profile, and this gives him a specific identifier. Then after posting to the desired location, there is this ID.
In his tests, the researcher discovered that he could generate comments through Facebook's API, he could then send another API request to attach any video ID from any user in his comment. Of course after all this using another API request could delete the comment.
Hivarekar reported that Facebook developers forgot to add controls to keep videos from people who did not upload the videos.
The researcher reported the vulnerability on Facebook through the bug program bounty on June 11, two days after the release of the new feature from the social network.
On the other hand Facebook provided a temporary solution after 23 minutes, and then fixed the error completely 11 hours later. For the extremely critical bug reported by the Facebook researcher, the social network rewarded him with a five-digit reward.