A Security researcher named Dan Melamed recently figured out a way to delete any video on Facebook. His discovery of the video-deleting loophole was brought to the notice of Facebook, with the social giant thanking him for his efforts and awarding him $10,000 as part of its bug hunting bounty program.
How The Exploit Works
Melamed’s method is outrageously simple. It was solely dependent on an visible piece of a URL that he was able to divert while uploading a video to a Facebook. While uploading a sample video, Melamed intercepted the request sent to post the video and took hold of this parameter:
The “Video ID” portion mentions code of the video that was being uploaded. When he had interrupted this request, he could change the Video ID portion to the ID of any existing video post on Facebook and continue to upload his video. This meant that he could change the parameters of the video when it was being uploaded and send a different video up to the Facebook servers. Once the ID was modified, Facebook would display an error, but the video would still be uploaded successfully.
Now, Melamed has the complete control over the video he just uploaded (which wasn’t even his own video) similar to the control he would have had if the video was uploaded from his account. This means that he could edit/ restrict or delete the video entirely.
About Facebook Bug Bounty Program
Almost 2 years ago, Facebook launched a program in which security researchers who would report bugs to Facebook, and be rewarded. The Facebook Bug Bounty Program was launched in order to encourage more people to help keep the social media platform safe and secure. So far the program has been a success and almost $1 million has been paid off in bounties.
Here is a glimpse of some major exploits whose discovery resulted in bounties for those who discovered them:
Unsecured Personal Details
A 22-year old Security Engineer at Flipkart discovered a bug in Facebook that could grant access to messages, credit/debit cards tied to the account and personal photos and other personal information. All without the user’s knowledge.
Post on Someone Else’s Timeline As You Like
Another researcher reported about a bug that would allow users to post on the timeline of another user who was not their friend. This vulnerability was used to forcefully post on someone’s wall who was not in their contact list.
These were just some recent examples of exploits that the social media giant had to patch thanks to the work by security researchers and hackers.