Published On: 28 Aug 2020
Answer live video questions even if they are closed
Other
Facebook | Web
---
UNDEFINED INFORMATIVEIn Facebook, people are able to go in a live video through their account, groups, pages, Events, etc. When streaming, the video owner is able to add a question to ask viewers where they can answer this question and the live video owner can check all the responses of the question in the "Questions" tab in the live video admin panel.
Description
On your question added you can find an "Open Card" button, when clicked your question will be visible for your audience. Otherwise the video owner can close the question by clicking ("Close Card") to stop the viewers from answering his/her question. (The question will no longer be available for his audience) Intercepting the request while answering the question asked by the live video owner will permit us to answer the question whenever we want just by resent the request.
Impact
A malicious user can answer a live video question added by the owner of the live video even if the owner of the live video closed it after it was open.
Reproduction Steps
Step
1
Setup
===
UserA – Admin of a page - Victim
UserB – Live video viewer - Attacker
Step
2
UserA will create a live video in his page.
Step
3
UserA will navigate to "Questions" tab in the live video admin panel and add a question for his live video.
Step
4
UserA will Go live and then he/she will click on “Open Card” on the question added to make the question visible to the viewers.
Step
5
UserB will navigate to the live video of UserA page and will intercept the POST request on the submit button when answering the question and send it to the repeater.
Step
6
UserA will close the question card. (Question is no longer able to be answered by viewers because it will not be visible for them)
Step
7
UserB will answer the question by resent the request after the video owner has closed the card question.
The above image show that from the UI side there is no way to re access the question.
Step
8
UserA will check the responses of the question asked by clicking on it where the answer of UserB will be shown in the responses knowing that UserB has answered it after UserA closed the card question.
Discussion
Why this bug can impact live video owner? Let’s consider that you own a Facebook page and you have decided to go in a live video where you will make a competition that contain a question and those people who answer correctly will be a winner of the competition and will get rewarded. You decide that this competition will just take place just for 5 mins in the live video which means you will open the question card for 5 mins then close it in way to make your question answered for just for 5 mins. But in those 5 mins there was a malicious user who have applied the attack explained above and answered the question after you have closed the question, so this malicious user will also get rewarded addition to that this malicious user can pass the variables of the request to his friends so his friends will also be able to answer the question even if they have missed the live video of the page where they will get rewarded.