The flaw was discovered by Dan Melamed in June 2016. He detailed his find in a blog post this week, explaining that the critical vulnerability let him remotely delete any video on Facebook. Melamed has created a YouTube video that demonstrates his method in action.
The security researcher found videos could be deleted from Facebook by exploiting its event feature. An attacker would need to first create a new public event or visit an existing one. They’d then have to create a new event post from the Discussion tab and upload a photo or video.
The uploaded media adds a special parameter to the request made to Facebook when the post is created. By swapping the parameter’s value for the ID of the Facebook video to delete, Melamed could successfully attach it to the event. The servers return an error message but nonetheless link the post and video together.
With the post created, the attacker just needs to click the drop-down menu in the top right of any Facebook post and click “Delete.” When deleting an event post, any attached media is also removed. Confirming the prompt that appears will delete the video, regardless of who actually owns it.
The vulnerability is described as an Insecure Direct Object Reference. Facebook shouldn’t have allowed Melamed to attach another user’s video to his post. The request should have been routed through authentication systems and subsequently declined. Because the video did end up linked to the post, which Melamed had ownership of, he was subsequently able to delete it. Again, Facebook should have checked whether the video was his before removing it.
Facebook fixed the issue within a month of being notified. It acknowledged Melamed’s report just a day after it was filed. The company first requested he send a video showing the technique in action. It then uploaded a demo video to a test account and asked Melamed to remotely delete it as a proof-of-concept. A patch was released by July 15, when Facebook awarded Melamed a $10,000 bug bounty for his work.
The vulnerability is similar to another bug found by a security researcher in the same month. The flaw uncovered by Pranav Hivarekar also allowed him to delete any video uploaded to Facebook. It relied on the same kind of weakness as Melamed found in event posts, this time in videos attached to comments. Hivarekar also received a five-digit bug bounty.
Although there’s no suggestion either discovery has been maliciously exploited, this kind of security hole could be devastating if found by cybercriminals. The work of freelance security researchers like Melamed and Hivarekar helps companies to fix vulnerabilities before they’re used in the wild, keeping you safe online.
