Pranav Hivarekar's Security Blog

REST-API Lover | Security Researcher | API Coder | Ambivert | GET /noob

Home     About      Favorite Books      Join Security Thursday     

Facebook's API Bug - Add/Remove `videos` from `video playlists` using an `user access_token` with `public_profile` permissions

Description

The endpoint /{videolist_id}/videos is undocumented. So, we cannot find any real documentation
about this on developer's site. But still using analogy between other endpoints and this endpoint we can guess the working.

Facebook recently released new features for pages. This was the one. Now, we can upload videos on a page and then create a video playlist and arrange relevant videos for our audience. So, it gave really cool looks to our loved facebook pages.

Before folks were allowed to only upload videos to a page but creating video playlists was not offered. So, it was difficult for audience to navigate through video content. Also, it troubled page managers.

Now, using graph api, using an user access_token with public_profile permissions, it was allowed to add/remove videos from video playlists.

I researched and found an analogy between other endpoints. And in the end, I came to the conclusion that for dealing with pages or creating/editing contents on pages, it demands manage_pages permissions. And if we need to modify/edit the object then we must possess publish_pages permissions. So, this bug was good to go.

Proof Of Concept

  1. Post a video on a page.
  2. Go to page and create a new Video Playlist.
  3. Now, add the video to the Video Playlist you created.
  4. Now any app having user access_token with public_profile permissions, can REMOVE the video from playlist.

Request ( User access_token with public_profile permissions)

DELETE /638315639602275/videos?video_ids%5B0%5D=729336823853677&access_token=redacted

Response

{
"success": true
}

The video got removed from video playlist. :D

Video Proof Of Concept

My special thanks to Neal. :-) And Facebook's security team. :)

Timeline

Mar 27, 2015 11:11pm – Report Sent
Mar 28, 2015 6:46am – Escalation by Facebook
Apr 2, 2015 12:48am – Asked about confirmation of fix
Apr 2, 2015 11:05am – Fixed confirmed by me
Apr 2, 2015 2:11pm – Bounty awarded by Facebook