A Facebook Bug that Disclosed Unused Custom Thumbnails of Any Facebook Page’s Public Videos
Last year, in September, I was doing some research to find a vulnerability in Facebook’s private video information leakage. Unfortunately, I failed to detect any vulnerability on this, but at that time when I was navigating through the Facebook Creator Studio, suddenly I had found a vulnerable POST request.
POST /video/composer/edit/thumbnails/?video_id=XXXXXX &av=YYYYYYY HTTP/2
This post request came in front of my eyes when I clicked the edit video from Creator Studio, and after that, I replaced the video_id with another test account page’s public video _id. Then on that post-request-response, I discovered that all the unused custom thumbnails links of that video were leaking.
For example, suppose an admin accidentally uploaded a custom thumbnail on his/her Facebook page’s draft video post but before publishing that video, the page admin noticed that and uploaded the correct one again. Due to this bug, attackers could be able to access all of these unused custom thumbnails, which should be private by default.
Timeline:
September 15, 2021 — Report Submitted
September 18, 2021 — Marked as Informative
September 18, 2021 — Requested for Re-evaluation with more details.
September 22, 2021 — Security Team not satisfied enough for Re-evaluation.
September 22, 2021 — Again clarified the impact with detailed information.
September 24, 2021 — Asked for more details on reproduction steps.
September 24, 2021 — Provided
September 28, 2021 — Managed to Reproduce.
October 8, 2021 — Triaged
November 8, 2021 — Resolved
November 8, 2021- Confirmed from my end.
November 10, 2021 -Bounty Awarded
My Social Handles
Twitter: https://twitter.com/sawravchy
