Coding error allowed attackers to delete Facebook live video
Facebook has recently resolved an issue that allowed attackers to delete content posted on Facebook Live without the consent of the video’s owner. Just two days ago, cybersecurity researcher Ahmad Talahmeh posted an advisory explaining how the vulnerability worked and providing a Proof-of-Concept code that was able to trigger an attack. Facebook Live allows users to broadcast and publish live streams, a feature that has become more popular during the Covid-19 pandemic.
Talahmeh found that the issue with the feature is that Facebook allowed the live video to be trimmed on behalf of owners to the point of deletion, a function that had ramifications for privacy and security. Talahmeh described the issue as an “unexpected behavior,” as videos could be trimmed to as little as five milliseconds. Talahmah’s code contains a package request that can be deployed to trim the video down to this length, making it less than 1 second.