Freelance security researcher Dan Melamed has done us all a solid. Last year, he figured out how to remotely delete any publicly posted video on Facebook, without permission or authentication.
Then, he did the right thing: he reported it to Facebook.
Melamed said in a blog post on Monday that he’d discovered the critical vulnerability in June. Besides finding a kill switch for any public video, he also discovered he could disable commenting on any video.
He posted a YouTube video on the exact steps that would have let a malicious actor kill any video:
Facebook fixed the vulnerability in July and awarded Melamed a $10,000 bug bounty.
Melamed had looked at the HTTP request that his browser sends to Facebook when he uploads a video. Using a program called Fiddler, he intercepted the request, swapped out his video’s ID for one belonging to a victim’s video, and then sent the modified request on its way to Facebook.
Melamed’s method is simple: first, an attacker would either create a public event on Facebook or visit any existing public event. Then, they’d go to the event’s Discussion tab and create an event post by uploading a photo or video.
He found that when you swap the value of the
composer_unpublished_photo parameter for the ID of the Facebook video you want to kill, the server will balk, putting out this error message:
This content is no longer available.
Error message or no error message, the video will still successfully attach itself to the created event post.
When an attacker refreshes the Events Discussion page, they’d see that the event posting had appeared with the victim’s video attached. Then, it’s just a matter of clicking a small arrow dropdown and choosing “Delete Post”.
A dialog box will warn that the video will also be removed from Photos and Videos. If you confirm in the dialog box that yes, you want to delete the video, Poof! It will be gone within 20 to 30 seconds.
Credit where credit’s due, Melamed noted that this vulnerability is similar to another video deletion bug that Indian security researcher and penetration tester Pranav Hivarekar discovered, also in June 2016.
In a nutshell: whereas Hivarekar’s flaw had to do with attaching a victim’s video to a comment, Melamed discovered a way to attach the video to an event post. Delete the bath water/event post, and that baby/video gets tossed right out with it.
Naked Security’s Mark Stockley wrote up a similar Insecure Direct Object Reference bug: one that also made an appearance in Facebook’s Bug Bounty program. This one had to do with how one man could have deleted any Facebook photo album that he could see.
Mark offers this digression: In Melamed’s attack on videos, he specifies the ID of a video he’s targeting specifically, but since video IDs are just numbers, he could have just guessed one and wiped out a video at random. … Or perhaps a hundred. … Or maybe a thousand. … Or even more.
Would Facebook have noticed if Melamed had gone full Super Villain and tried to delete Every. Single. Video? Would it have stepped in to stop the video carnage before Facebook was utterly drained of moving kittens and puppies?
I suspect the social network would have noticed long before its stash of videos was under any real threat. But even if it hadn’t, there are so many people uploading so many videos to Facebook at such frequency, an attacker would probably need some fairly major infrastructure to even scratch the surface. But, well, that’s cold comfort if it’s your video on the chopping block.
The error that Melamed found is called an Insecure Direct Object Reference (the Object Reference is that parameter,
When Facebook received Melamed’s request to delete a video, it should have noticed that the video he was trying to attach didn’t belong to him, and it should have denied the request. It didn’t. As a consequence, he was able to attach a video that belonged to somebody else to a post that did belong to him.
Since it was his post, it was in his power to delete it. But that shouldn’t have been the case. Facebook should have noticed that he was trying to delete a video that didn’t belong to him, and it should have stopped him in his delete-happy tracks.
At any rate, we really need to say…
Thank you, Facebook breakers!
It shouldn’t surprise anybody that Melamed was inspired by an Indian security researcher who’d been poking at Facebook around the same time. It’s worth noting that for whatever reason, bug bounty hunters in India are very, very good at breaking Facebook.
In fact, as Facebook has said, they’re hands-down the world’s leaders at it.
Hackers who find these bugs face a choice between doing something good or doing something bad. Some people try to cause mayhem, some sell their bugs to the bad guys and some work for the greater good. Those that find and responsibly disclose flaws in Facebook, Instagram, Twitter, et al. perform a valuable service and their rewards are bug bounties and kudos.
Speaking of which, thank you, Dan Melamed, from the bottom of our hearts.