Fixed : Disclose private Videos on Facebook

Sameer Rao
1 min readMar 5, 2019

--

Impact
This could allow a malicious user to see private videos provided the malicious user knew the video FBID

Endpoint —
https://developers.facebook.com/v2/async/videos/?video_id=xxxxxxxxx

This endpoint returned video source of any Facebook video either it was shared in message, story or at workplace.

Timeline:

Reported — 18 Nov , 2018

Fixed — 20 Nov , 2018

Bounty — 16Janaury , 2019

--

--