This vulnerability is similar to another video deletion bug that another researcher discovered here:
https://pranavhivarekar.in/2016/06/23/facebooks-bug-delete-any-video-from-facebook/
Instead of attaching the victim's video to a comment, I discovered a way to attach the video to an event post. When you delete an event post it also deletes the attached video.
To exploit this vulnerability I took the following steps:
1. Create a public event on Facebook or visit any public event
2. Go to the Discussion tab of the event and create an event post by uploading a photo or video
3. Upload the photo/video and intercept the POST request. The POST request will look like this:
https://www.facebook.com/media/upload/photos/composer/?av=<Profile ID>&dpr=1
Where <Profile ID> is the user account you're posting from
4. In the post request there is a vulnerable parameter called:
composer_unpublished_photo[0]=<Video ID>
<Video ID> represents the ID of the video that you were just uploading.
5. Replace <Video ID> with any video on Facebook
6. The server response will give you an error saying "This content is no longer available". But the video has been successfully attached to the event post you made.
7. Refresh the Events Discussion page and you will see that the event posting has appeared with the victim's video attached
8. Click on the small arrow dropdown on the top right of the post and choose "Delete Post"
9. A popup dialog box will appear that says:
"You are about to delete this post. The video will also be removed from Photos and Videos."
10. Click Delete
11. Wait approximately 20-30 seconds and the video will be deleted from Facebook
You will also notice in the dropdown section that there is the option to "Turn off commenting". This allows you to disable commenting on the video of your choice.
These are the steps that allowed me to delete any video on Facebook.
Video demonstration:
I used the Fiddler tool to intercept the request
Timeline:
June 29th, 2016 - Reported Vulnerability to Facebook
June 30th, 2016 - Video demonstration requested by Facebook
June 30th, 2016 - Video demonstration sent
June 30th, 2016- As POC, Facebook requests I delete a demo video on their test account
July 1st, 2016 - I confirm that I've deleted the demo video
July 15th, 2016 - $10,000 bounty awarded by Facebook
January 23rd, 2017 - Wrote about the vulnerability publicly
No comments:
Post a Comment