Intruder removes a Facebook live video due to a coding mistake and wins substantial bug bounty

Facebook has fixed a coding flaw in its live video services that enable attackers to remove content without the owners' permission.

On April 17, security researcher Ahmad Talahmeh released an advisory outlining how the flaw operated, as well as proof-of-concept (PoC) code that could be used to launch an attack.

Facebook's live video function enables users to transmit and publish live videos, a feature that has been widely embraced not just by individuals, but also by businesses and organisations around the world — especially during the COVID-19 pandemic, when stay-at-home orders were in effect.

A website, party, or event may all be used to publish live streams. Users may use video trimming after a broadcast has ended to remove unwanted content from their streams, such as by scrubbing between to- and from-timestamps.

Talahmeh discovered a flaw in this feature that allowed live video to be trimmed to the point of deletion on behalf of the owners, an unexpected action that could have privacy and security implications.

According to the researcher, the issue is trimming video down to five milliseconds.

"Trimming video to five milliseconds would result in the video being 0 seconds long, and the owner will be unable to undo the trimming," Talahmeh explains.

Following the acquisition of the target live video's ID and current user ID, code containing a bundled request for a video to be trimmed that eliminates the video can be submitted.

On September 25, 2020, Talahmeh informed Facebook of his results. Within two hours, the problem was triaged, and Facebook announced a patch three days later. BountyCon 2020 released a bug bounty of $11,000, and Facebook later awarded two additional bounties of $1150 and $2300.

Separately, the bug bounty researcher outlined a way to untrim any live video on the site in a $2875 bug bounty study.

Talahmeh also discovered a security problem involving Facebook business pages and alerts informing consumers of any COVID-19-related changes, such as alterations to opening hours, deliveries, or access to physical outlets.

This study won Talahmeh $750 because the "Coronavirus (COVID-19) Update From page name" system could be upgraded with analyst permissions, which are usually read-only.