Facebook Exploit Allowed Users To Delete Any Video They Wish


Security researcher Dan Melamed recently let the cat out of the bag on an exploit that anybody on Facebook could have used to delete somebody else's videos, up until he found it, handed it over to Facebook for patching, and got a pretty penny for his troubles. The bug in question survived until late June of last year. As for Melamed, he received $10,000 just a couple of weeks after he reported the bug to Facebook. They made him demonstrate it on a test account first, so that they could get a handle on exactly what it was and how to fix it, then handed over the cash. As for the exploit itself, essentially, the bug mimicked an earlier hack that allowed a Facebook user to delete anybody's photos by messing about with the URL when creating and deleting an event and its associated photo.

In order to use the bug, a user must begin by creating an event. From there, they link the event with a video. Once the video is linked, the user can employ the webpage modification tool of their choice while the video is uploading to modify the request on the page. Changing the video request ID to the ID of the video that they want to delete will yield an error, but the video is actually attached. From there, deleting the event would allow them to knock down the video in the same way that they would delete an event and their own paired video. A hacker could easily turn off commenting capabilities on a video as well, rather than deleting it.

This is only the latest event in the long and enduring saga of white hat hackers and tech giants having a symbiotic relationship thanks to cash bounties for finding bugs, though not all companies take so kindly to people pointing out flaws in their products, and even Facebook themselves once frowned upon white hat activities in their domain. With the charge mostly led by Google, who publishes the handles of their white hat partners and their achievements and rewards in a report every now and then, the tech world has been slowly warming up to independent security researchers of late.


Share this page

Copyright ©2017 Android Headlines. All Rights Reserved.

This post may contain affiliate links. See our privacy policy for more information.
Senior Staff Writer

Daniel has been writing for Android Headlines since 2015, and is one of the site's Senior Staff Writers. He's been living the Android life since 2010, and has been interested in technology of all sorts since childhood. His personal, educational and professional backgrounds in computer science, gaming, literature, and music leave him uniquely equipped to handle a wide range of news topics for the site. These include the likes of machine learning, Voice assistants, AI technology development news in the Android world. Contact him at [email protected]

View Comments