However, during this operation Facebook forgot to add permission checks to the delete operation.
Proof Of Concept
1.Create a comment on a post via API.
2.Edit the comment and attach a VIDEO of your choice via API.
(As it takes 20 secs to DELETE the video from Facebooks server.)
DELETE /< comment id>
This will delete the video.
Pranav was awarded a five digit bug bounty reward by Facebook for his research.
source: www.techworm.net
