Bassem Bazzoun

Published On: 28 Aug 2020

Answer live video questions even if they are closed

Facebook | Web

In Facebook, people are able to go in a live video through their account, groups, pages, Events, etc. When streaming, the video owner is able to add a question to ask viewers where they can answer this question and the live video owner can check all the responses of the question in the "Questions" tab in the live video admin panel.


On your question added you can find an "Open Card" button, when clicked your question will be visible for your audience. Otherwise the video owner can close the question by clicking ("Close Card") to stop the viewers from answering his/her question. (The question will no longer be available for his audience) Intercepting the request while answering the question asked by the live video owner will permit us to answer the question whenever we want just by resent the request.


A malicious user can answer a live video question added by the owner of the live video even if the owner of the live video closed it after it was open.

Reproduction Steps


UserA – Admin of a page - Victim
UserB – Live video viewer - Attacker


UserA will create a live video in his page.


UserA will navigate to "Questions" tab in the live video admin panel and add a question for his live video.


UserA will Go live and then he/she will click on “Open Card” on the question added to make the question visible to the viewers.

Show Image


UserB will navigate to the live video of UserA page and will intercept the POST request on the submit button when answering the question and send it to the repeater.

Show Image


UserA will close the question card. (Question is no longer able to be answered by viewers because it will not be visible for them)

Show Image


UserB will answer the question by resent the request after the video owner has closed the card question.


The above image show that from the UI side there is no way to re access the question.

Show Image


UserA will check the responses of the question asked by clicking on it where the answer of UserB will be shown in the responses knowing that UserB has answered it after UserA closed the card question.


Why this bug can impact live video owner? Let’s consider that you own a Facebook page and you have decided to go in a live video where you will make a competition that contain a question and those people who answer correctly will be a winner of the competition and will get rewarded. You decide that this competition will just take place just for 5 mins in the live video which means you will open the question card for 5 mins then close it in way to make your question answered for just for 5 mins. But in those 5 mins there was a malicious user who have applied the attack explained above and answered the question after you have closed the question, so this malicious user will also get rewarded addition to that this malicious user can pass the variables of the request to his friends so his friends will also be able to answer the question even if they have missed the live video of the page where they will get rewarded.

Bassem 19 Aug 2020

Report Sent

Facebook 20 Aug 2020

Marked as not applicable Hi Bassem M, Thanks for contacting us. Thank you for the detailed write up, it is well done. However the impact you are describing is a very spe ... See More

Bassem 21 Aug 2020

Debating their answer Thank you for your reply and your decision. In your reply you mentioned that the impact you are describing is a very specific circumstance that ... See More

Facebook 21 Aug 2020

Marked as not applicable Hi Bassem M, Thank you for the reply. As we have stated this even now, does not fully qualify as a security bug. The Attackers in this case are ... See More

Bassem 21 Aug 2020

Replying that there is a misunderstand Replying that this attack is performed in the "Questions" section and not on "Polls". Addition to that I debated that the the attackers does not ... See More

Facebook 24 Aug 2020

Closed as Informative Thank you for the detailed reply. You are correct that I may not have understood. I had mentioned polls as they are also how Pages/Groups/Users g ... See More