Facebook Bug Allowed Hackers to Delete Any Video Posted By Anyone

A security researcher has discovered a critical bug in Facebook that could allow a potential hacker to delete any video posted on the social networking site by anyone. The critical bug was discovered by Dan Melamed in June 2016 when he found out that he could remotely delete any video on Facebook shared by anyone without having the user’s permission or Facebook authentication. He discovered that he could also disable commenting on the video posts using the same bug.

How does this Facebook bug work:

The bug discovered by Melamed is similar to another bug made public by a security researcher, Pranav Hivarekar. Hivarekar had discovered a way to attach theFacebook victim’s video to a comment in order to delete it.

In order to exploit this vulnerability, Melamed first created a public event on the Facebook page and uploaded a video on the Discussion part of the event. While uploading the video, Melamed tampered with the POST request and replaced the Video ID value on his video with the Video ID value of any other video on the social media platform. In this case, we are talking about the victim’s Facebook video he wanted to delete. Facebook responded to Melamed’s request with a server error, i.e. “This content is no longer available,” but the new video was successfully got posted and displayed just fine.

Melamed than discovered that when he deleted his event post, the entire video posted by the unknown victim also gets deleted.

Since he also mentions that he discovered a way to disable commenting on any video, he goes on to add that there’s a drop-down section where you can find “Turn off commenting,” which allows you to disable commenting on the video of your choice. Melamed made a recording about how the bug works and posted it on his blog; you can find it included below.

Facebook acknowledged Melamed;s bug discovery as critical and awared him $10,000 as bug bounty. Facebook has also patched the bug so now the process can be exploited by any hacker.