More fear than harm. Facebook just fixed a coding issue in its live video service. This allowed for the efficient removal of live streamed content without the consent of its authors. On April 17, security researcher Ahmad Talahmeh published a notice explaining how the vulnerability works, as well as a proof of concept (PoC) code capable of triggering an attack.
Facebook’s live video enables users to broadcast and post live streams, a feature widely adopted not only by individuals, but also by businesses – especially during the current health crisis. Owners can post live feeds through Page, Group, and Event. After the broadcast is complete, users can perform video trimming to remove unnecessary content from their streams, such as removing start and end timestamps.
However, security researcher Ahmad Talahmeh recently discovered that this feature allows live videos to be trimmed on behalf of owners until they are deleted, an unexpected behavior that could impact privacy and security. According to the researcher, the problem lies in splitting the video into five milliseconds. “If the video is cut at five milliseconds, it will only last 0 seconds and the owner will no longer be able to cut it”, explains the latter.
Bug bounty killer
After obtaining the targeted live video ID and the current user ID, it is possible to submit a code containing a packaged video trimming request that removes the video. Researcher Ahmad Talahmeh shared his findings with the social network on September 25, 2020. The problem was sorted out in two hours and a fix was confirmed by Facebook three days later. A bonus of $ 11,000 was then awarded through BountyCon 2020 and two other bonuses, of $ 1,150 and $ 2,300, were subsequently granted by Facebook.
The bug bounty researcher separately detailed a way to trim any live video on the platform, a bug bounty report worth $ 2,875. In addition, he discovered another security issue with Facebook business pages and updates notifying customers of any changes caused by COVID-19, such as changes to opening hours, deliveries or access to physical points of sale.
The “Coronavirus (COVID-19) Update From {page name}” system was able to be updated with analyst permissions – which are normally read-only – and this report brought Talahmeh $ 750. Asked by the editorial staff of , Facebook had not yet responded at the time of this writing.
Source: .com