Fixed : Disclose private Videos on Facebook

Impact
This could allow a malicious user to see private videos provided the malicious user knew the video FBID

Endpoint —
https://developers.facebook.com/v2/async/videos/?video_id=xxxxxxxxx

This endpoint returned video source of any Facebook video either it was shared in message, story or at workplace.

Timeline:

Reported — 18 Nov , 2018

Fixed — 20 Nov , 2018

Bounty — 16Janaury , 2019

--

--

Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store