Facebook security error allows hackers to delete any user’s videos

Facebook announced the correction of a coding error in its video services that would allow threat actors to remove content without users being able to intervene. Ahmad Talahmeh, a cybersecurity specialist, published a report on the error, as well as revealing a proof of concept (PoC).

Due to pandemic isolation measures, thousands of users are increasingly turning to the Facebook Live feature, which allows live streaming for a variety of purposes. Facebook account owners can post live streams through pages or groups, and once the live stream ends, they can post an edited version of the video.

The expert notes that he encountered a problem in the feature that allows to trim the transmitted video until it is completely deleted, something that obviously should not be possible in conventional circumstances: “Videos can be cut to milliseconds, making the video last less than a second in real terms,” Talahmeh says.

After obtaining identification of a vulnerable stream, it is possible to send a code containing a packaged request to trim the video. The expert notified Facebook in September 2020 and, just a couple of hours later, the issue had been fixed. Talahmeh received a $11,000 payment through Facebook’s rewards program.

In a separate report, Talahmeh discovered another security flaw related to Facebook’s business pages and their updates to any changes arising from the pandemic and security measures to which users would be subjected: “The Coronavirus Update System (COVID-19) From the target page name” could be updated with analyst permissions, which are usually read-only” the expert added.

Facebook is expected to post an update to the incident in the coming days. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.