This vulnerability could have let a malicious Facebook user to add a comment on any live stream even if it has a friends only privacy. The comment text was limited to a given set of quick comments.
Summarizing the overall story
Everything started out on October 4, 2018. A friend of mine had shared a live stream of a person who was kicked out from a reality television show for misbehaving with the main judge of the show.
I decided to watch the live stream. I wanted to comment something on it such as Hello!, but it didn't display the comment box at the bottom of my Android screen since the live streamer wasn't a friend of mine. The only thing I could do was to share or react to the live stream. However, I found a way to comment Hello! in the live stream through a newly launched feature on live streams back then.
Then, I decided to create a bug report and submit it to Facebook. I was nearly sure that the bug wouldn't qualify for a bounty both before and after submitting the bug report.
However, after nearly a month of submitting the vulnerability report to Facebook, the chances of getting rewarded from Facebook Security Team started getting higher when they replied back to me mentioning that they resolved the issue and they would get back to me when they are finalized with their bug bounty decisions.
The security team issued a bounty amount of $750 for responsibly reporting this vulnerability.
- Title: Unauthorized Comments on Facebook Live Streams
- Vulnerability Type: Privilege Escalation
- Product Area: Facebook - Android
- A Facebook account (i.e. mine): User X
- An account which isn't a friend of User X and allows only Friends to comment on posts: User V
- A running or an ended live stream on that non-friend's account: Stream J
I visited the profile of User V through my account, User X.
I scrolled down until I found Stream J.
Facebook had launched a new feature which allows people to create quick comments in live streams without having to type general text like Hello and emojis like thumbs up and others.
This quick comment area appears in every live stream and you just have to press on one of the quick comment buttons and it gets commented in the live stream.
I saw this quick comment area in the Stream J of User V. Then, I decided to press on any of the quick comment buttons and it got commented in the live stream. It didn't even display an error or any limitation message. To be sure, I tried again and it got commented again and when I checked the comments list later on, I found my comment there.
Responsible Disclosure Timeline
- Vulnerability Reported: October 5, 2018
- Automated Response: October 5, 2018
- Requested for Video PoC: October 9, 2018
- Submitted PoC: October 9, 2018
- Triaged: October 12, 2018
- Requested information to determine impact (FB): October 12, 2018
- Provided further information (me): October 12, 2018
- Vulnerability Patch Confirmation (FB): November 10, 2018
- Vulnerability Patch Confirmed (me): November 10, 2018
- Bounty Amount Rewarded: November 14, 2018
- Thanked the security team: November 14, 2018
- Inclusion in the Whitehat Thanks page of 2018: November 27, 2018
Check out the Facebook Whitehat Thanks page: facebook.com/whitehat/thanks!