Binit Ghimire

Published On: 13 May 2019

$750

Unauthorized Comments on Facebook Live Streams

Privacy/Authentication
Facebook | Android
Inclusion in the 2018 Thanks list
MEDIUM VALID

Hello, guys! I am Binit Ghimire, from Nepal. Back in October, 2018, I was able to discover a vulnerability in Facebook that let me create unauthorized comments on live streams of people who aren't my friends and don't allow non-friends to comment on their posts. For this vulnerability, the Facebook Security Team rewarded me a bounty amount of $750, which was the first ever bounty that I ever received.

Description

Suppose there is a person who isn’t a friend of mine on Facebook. That person allows only “Friends” to comment in posts, pictures and videos. When that person goes live on Facebook and I watch the live stream, there appears “Share” button and reaction buttons. Just above the reaction and “Share” buttons, there appear text like “Hello”, tears-of-joy emoji, heart emoji, etc. in the live stream. When I click on any of those, it gets commented, even though it wasn’t meant to be commented there.

Impact

This bug allows attacker to publish his/her comments on live streams of non-friends who allow only friends to comment on their posts




Reproduction Steps

Step
1

As a non-friend of a person who allows only friends to comment on his/her posts, open any of the live streams available in his/her profile.

Step
2

You will see Share button, reactions button and above these, you will see some text like “Hello”, tears-of-joy emoji, heart emoji, etc. as shown in “photo1.jpg”. What you need to do here is, click on these text for commenting.

Show Image

Step
3

It will be commented on the live stream with your Facebook account even though the live streamer doesn’t allow outsiders to comment on his/her posts.

Show Image

Setup

1. An account which isn’t your friend and allows only Friends to comment on posts. 2. Your Facebook account 3. The person who isn’t your friend and allows only Friends to comment on posts needs to start a live stream.

Read Full Write-up: How I Managed to Create Unauthorized Comments on Facebook Live Stream

I have written a full write-up with all the details, vulnerability report, proof-of-concept, replies from the Facebook team and my follow-up responses in the official website of Ask Buddie, a Facebook group where you can help and support in the field of technology. You can read the full write-up here: https://www.askbuddie.com/blog/unauthorized-comments-on-facebook-live-stream/

Information regarding the Attachments

photo1.jpg and photo2.jpg refer to the photos I attached in Step #2 and Step #3.

Videos

Timeline
.
Binit 05 Oct 2018

Reported the Vulnerability I reported the vulnerability to Facebook on October 5, 2018.

.
Facebook 05 Oct 2018

Automated Response from Facebook The automated response was received from Facebook upon the submission of the vulnerability report.

.
Facebook 09 Oct 2018

Requested for the Video One of the staffs at the Facebook Security Team requested for the proof-of-concept video.

.
Binit 09 Oct 2018

Submitted PoC video I submitted them the video. Watch video here: https://youtu.be/Zgyno1mIPVU

.
Facebook 12 Oct 2018

Triaged The people at the Facebook Security Team were able to reproduce the vulnerability.

.
Facebook 12 Oct 2018

Requested for Further Information regarding its impact One of the members of the Facebook Security Team asked me whether I was able to make the comments available in the quick comment bar like "Hello" ... See More

.
Binit 12 Oct 2018

Provided Further Information I confirmed that I was able to make the comments available in the quick comment bar like "Hello" and some emojis. To make it clear, I added a fol ... See More

.
Facebook 10 Nov 2018

Vulnerability Patched The Facebook Security Team confirmed that the vulnerability as been patched and requested me to let them know if the issue was still reproducible ... See More

.
Binit 10 Nov 2018

Vulnerability Patch Confirmed I tried reproducing the vulnerability again and found out that the vulnerability was patched. Then, I added a follow-up response stating that the ... See More

.
Facebook 14 Nov 2018

Bounty Amount Rewarded The Facebook Security Team decided to award me a bounty of $750 for reporting the vulnerability.

.
Binit 14 Nov 2018

I thanked the Facebook Security Team I thanked the Facebook Security Team for providing me the first ever bounty in my life and requested them to mention my name in the Thanks page.

.
Facebook 27 Nov 2018

Inclusion in the Whitehat Thanks page of 2018 The Facebook Security Team included my name "Binit Ghimire" in the Whitehat Thanks page of 2018. You can view it here: https://www.facebook.com/w ... See More

VALID






Show All Images