Did you know that there was a time that someone could gain control over someone else’s Facebook videos? You could modify the video’s settings, disable the comments, or even delete the video.
This would’ve been very dangerous if enough hackers knew that this Facebook vulnerability existed.
Dan Melamed, a cyber security researcher who worked at Microsoft and A&T and taught at New York University, prevented this from happening.
In June 2016, he discovered a problem in Facebook’s video code that allowed him (and anyone else) to delete any video on Facebook without permission or authentication. He immediately reported it to Facebook and – as a result – earned a $10,000 reward.
How to Delete Anyone’s Facebook Video
Melamed’s method is quite simple for hackers to understand. It relied on an exposed piece of a Facebook URL he was able to intercept while uploading a video to a Facebook page.
In his blog post, he mentions how he does it step by step. This is a summary of how he did it for the non-techies:
- Create a public event on Facebook (or visit any public event)
- Go to the Discussion tab of the event and upload a video.
- Upload the video and intercept the POST request; the POST request is what allows Facebook to store the data from the video.
In that POST request, there is a piece of code (as seen below):
The <Video ID> represents the unique ID of the video you were trying to upload.
At this point, you had the power to change the video ID to any video that currently existed on Facebook.
- Swap out the video ID of the video you just uploaded with the video ID of the one you want to hijack and delete
- Once the modified request goes through, delete the evidence (the event post).
You can watch the video demonstration of what he did below:
These types of Facebook hacks are the kinds of bugs that can go unnoticed for years. Hackers could have exploited and deleted Facebook users’ videos, leaving people wondering what happened to their videos.
Fortunately for us regular Facebook users who don’t know much about hacking, Facebook fixed this problem in July 2016. So Dan Melamed is $10,000 richer and we as a Facebook community are now reassured that we – and only we – have control over our Facebook videos.