A security researcher found the bug and reported it

Jan 23, 2017 21:32 GMT  ·  By

Facebook recently patched a bug that could allow attackers to delete any video shared by anyone on their wall.

Security researcher Dan Melamed discovered the flaw back in June 2016. He has played around with it to discover the extent of the vulnerability, only to discover that not only could someone remotely delete any video on Facebook but they could also disable commenting on any video.

Last year, a similar vulnerability was made public by Pranav Hivarekar, another security researcher who discovered a way to attach the victim’s video to a comment in order to delete it.

How the bug works

Melamed’s method is a bit more complicated, but it exposes a serious vulnerability nonetheless. So here’s how it works. He created a public event on Facebook or visited any public event, went to the Discussion tab and created an event post by uploading a photo or video.

While uploading the video, Melamed tampered with the POST request and replaced the Video ID value on his video with the Video ID value of any other video on the social media platform. In this case, we are talking about the victim’s video he wanted removed. Facebook reacts by displaying an error that says the content is no longer available. However,  the video gets posted successfully.

The researcher then deleted his event post, which deletes the attached video as well. Due to the bug he discovered, the original video also gets removed from Facebook.

Since he also mentions that he discovered a way to disable commenting on any video, he goes on to add that there’s a drop-down section where you can find “Turn off commenting,” which allows you to disable commenting on the video of your choice. Melamed made a recording about how the bug works and posted it on his blog; you can find it included below.

If you are thinking about trying this one out yourself, you are out of luck. The vulnerability was reported to the Facebook security team and was already patched at the beginning of the year. Melamed, on the other hand, got $10,000 in his account as a bug bounty, something that many companies offer to those who report bugs.