Dan Melamed

Published On: 25 Apr 2020

Deleting Anyone's Video Poll

IDOR
Facebook | Web
---
MEDIUM VALID
Description

I have discovered a vulnerability in Facebook's new feature that allows you to add a poll to a Facebook video.

Impact

By exploiting this vulnerability, an attacker can delete a poll that belongs to another user's video without authorization.




Reproduction Steps

Step
1

Upload a video to a Facebook page

Step
2

In the video editing page, go to the Polls tab and choose to create a new poll. Then submit the video.

Step
3

Go back and edit the video. Delete a poll and before hitting Save, intercept the request with a tool such as Burpsuite

Step
4

A POST request will be sent to /video/edit/dialog/save/?v=(VIDEO ID)&av=(PAGE ID)

Step
5

The vulnerable parameter in this POST request is:
deleted_poll_ids[0] = (POLL ID)

Step
6

Replace your (POLL ID) with the victim's video poll id

Step
7

Submit the request. The poll is now successfully deleted from the victim's video.

Timeline
.
Dan 01 Nov 2018

Initial Report

.
Facebook 02 Nov 2018

Reproduced and Triaged

.
Facebook 06 Nov 2018

Fixed

.
Facebook 06 Nov 2018

Bounty Awarded

VALID






Show All Images