An error of coding results attacker will delete a live video of Facebook

An error of coding results attacker will delete a live video of Facebook

Facebook has solved the problem of Programming errors on live video services that allow attackers to successfully remove video without the user’s permission.

On April 17, security researcher Ahmad Talahmeh published a statement outlining how the threat works, as well as a Proof-of-Concept (POC) code that can launch an attack.

Facebook Live Video allows users to stream and publish live streams, a feature widely accepted not only by individuals but also by companies and organizations around the world – especially during the COVID-19 epidemic due to home orders.

Owners can publish live streams on page, group, and event. When the broadcast is over, users can start cutting the video to cut out unnecessary content in their streams, such as rubbing between timestamps.

Talahmeh found a problem with this feature that allows live video to be cut in the name of the owners until it is removed, an unexpected behavior that may have consequences for privacy and security.

The problem lies in reducing the video to five milliseconds, according to the researcher.

“Cutting the video by five milliseconds will cause the video to be 0 seconds long and the owner will be able to delete it,” Talahmeh said.

After receiving the live video ID and current user ID, the code containing the combined video request to be cut can be sent to remove the video

Talahmeh reported his findings to the media giant on September 25, 2020. The issue was triaged within two hours and a patch was confirmed by Facebook three days later. The $ 11,000 bounty was released via BountyCon 2020 and two additional gifts, $ 1150 and $ 2300, were later donated by Facebook.

A bug bounty researcher has described how to remove any live video from the platform, a $ 2875 bug bounty report.

Also, another security issue surrounding Facebook business pages and updates informing customers of any changes made by COVID-19 – such as changes in opening times, delivery, or access to physical stores – was discovered by Talahmeh.

The system “Coronavirus (COVID-19) Update From {page name}” may be updated with analysts’ permissions – usually read-only – and the report received Talahmeh $ 750.

Leave a Reply

Your email address will not be published.