Fixed : Disclose private Videos on Facebook
1 min readMar 5, 2019
Impact
This could allow a malicious user to see private videos provided the malicious user knew the video FBID
Endpoint —
https://developers.facebook.com/v2/async/videos/?video_id=xxxxxxxxx
This endpoint returned video source of any Facebook video either it was shared in message, story or at workplace.
Timeline:
Reported — 18 Nov , 2018
Fixed — 20 Nov , 2018
Bounty — 16Janaury , 2019