Coding error allowed attackers to delete Facebook live video

The security issue earned the reporting researcher a substantial bug bounty.

Facebook has resolved a coding issue in live video services that allowed attackers to effectively delete content without the consent of owners. 

On April 17, security researcher Ahmad Talahmeh published an advisory explaining how the vulnerability worked, together with Proof-of-Concept (PoC) code able to trigger an attack. 

Facebook's live video allows users to broadcast and publish live streams, a feature that has been widely adopted not only by individuals but also by companies and organizations worldwide -- especially during the time of the COVID-19 pandemic due to stay-at-home orders. 

Owners can publish live streams through a page, group, and event. Once a broadcast has ended, users can implement video trimming to cut out unnecessary content from their streams, such as by scrubbing between to- and from- timestamps.

Talahmeh found an issue with this feature that allowed live video to be trimmed on behalf of owners to the point of deletion, an unexpected behavior that could have ramifications for privacy and security. 

The problem lies in trimming video to five milliseconds, according to the researcher. 

"Trimming video to five milliseconds will cause the video to be 0 seconds long and the owner won't be able to untrim it," Talahmeh says. 

After obtaining the target live video's ID and current user ID, code containing a packaged request for a video to be trimmed can be submitted that removes the video.

Talahmeh reported his findings to the social media giant on September 25, 2020. The issue was triaged within two hours and a patch was confirmed by Facebook three days later. A bug bounty of $11,000 was issued via BountyCon 2020 and two additional bounties, $1150 and $2300, were later awarded by Facebook.

The bug bounty researcher has separately detailed a way to untrim any live video on the platform, a bug bounty report worth $2875. 

In addition, a further security issue surrounding Facebook business pages and updates informing customers of any changes prompted by COVID-19 -- such as alterations to opening times, deliveries, or access to physical outlets -- was found by Talahmeh.

The "Coronavirus (COVID-19) Update From {page name}" system could be updated with analyst permissions -- that are normally read-only -- and this report earned Talahmeh $750. 

ZDNet has reached out to Facebook and we will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0