Posted on April 19, 2021 at 7:05 PM
Coding Bug Enables Remote Access To Facebook’s Live Video
A recent report revealed how a coding error in Facebook’s live video services enabled threat actors to delete contents on victims’ systems remotely. However, the social media giant says it has solved the problem.
Security researcher Ahmad Talahmeh recently documented the discovery, revealing how the bug allows hackers remote access.
According to the researcher, the vulnerability works with Proof-of-Concept (POC) code which triggers the attack.
Facebook live video enables ease of broadcasting and publishing live streams. Although it’s a new feature, it has been adopted widely by single users, organizations, and institutions all over the world. Its adoption increased during this period of the COVID-19 pandemic where many workers were forced to work from home.
Through can publish live streams via events, groups, or through a page. After they have completed the Livestream, the users can use the video trimming feature to remove unwanted contents from their streams. It’s an efficient method that has kept both content developers and users satisfied.
However, researcher Talahmeh discovered that there is a major problem with the feature. It allows unauthorized persons to trim video content and even delete them without the consent of the owner. The researchers stated that such an unexpected action can lead to privacy and security issues.
The issue is already patched
According to the researcher, the main issue is when the video is trimmed to five milliseconds. When this happens, the video will be 0 seconds long, which is practically empty, and unable to untrim.
After the current user ID and live video Id of the target are obtained, the code containing the video’s packaged request can be submitted to remove the video.
The researcher made his findings known to Facebook in September last year, and the social media giant tacked the issue head-on immediately. Within three days, Facebook confirmed that a patch to the issue has been developed.
As a show of appreciation to the researcher for his discovery, Facebook issued a reward of $11,000 through BountyCon 2020. The tech giant included additional bounties of $2,300 and $1,150 at a later date.
Untriming the live videos
Talahmeh did not only stop at the provision of information about the flaw. He also went ahead to provide a detailed explanation on the ways to untrim any live video on the platform, which earned him an additional bug bounty reward of $2875.
Furthermore, another security issue seems to have been discovered within Facebook’s updates and business pages. In this instance, Talahmeh said it informs customers of any changes caused by COVID-19, such as access to physical outlets, deliveries, or changes to opening times.
The COVID-19 Update page can be updated with analyst permissions, which is usually read-only. This additional report by Talahmeh earned him another $750 as a bounty reward.
A bounty program is set up by companies to compensate security researchers and white hackers for their effort to discover vulnerabilities in the company’s network. It’s usually used to keep the system safe from darknet hackers who want to exploit the system when they discover any bug.
Facebook’s program is one of the most popular, as it has awarded countless researchers with a bounty through its program.
In March, security researcher Alaa Abdulridha was awarded $55,000 for discovering a pair of vulnerabilities in a third-party application.
The researcher showed how authentication cookies can be exploited by the application and manipulate or compromise accounts of Facebook employees.
He discovered another vulnerability that enabled him to alter the user account of any admin without the owner’s knowledge. It goes to show that no company is completely safe from exploitation, not even the tech giants with all the technology at their disposal.
Security researchers have always stressed the need for employees and other Facebook users to remain vigilant and careful about sending vital information over the internet.
