A security researcher has discovered a critical vulnerability in Facebook that could allow attackers to delete any video of the social networking site shared by anyone on their wall.
The flaw has been discovered by security researcher Dan Melamed in June 2016, allowing him not only to remotely delete any video on Facebook shared by anyone without having any permission or authentication but also to disable commenting on the video of your choice.
Here's how to exploit this flaw:
In order to exploit this vulnerability, Melamed first created a public event on the Facebook page and uploaded a video on the Discussion part of the event.
While uploading the video, the researcher tampered the POST request using Fiddler and then replace the Video ID value of his video with Video ID value of any other video on the social media platform.
Although Facebook responded to this issue with a server error, i.e. "This content is no longer available," but the new video was successfully got posted and displayed just fine.
Once this task was accomplished, Melamed deleted his event post, which eventually deleted the attached video.
And guess what? This in turned removed the video from the social networking site and the wall of the victim.
For more step by step details about the vulnerability and how it works, you can watch the proof-of-concept video demonstration above which shows the Facebook video deletion attack in action.
Melamed responsibly reported the vulnerability to the Facebook security team, which patched the vulnerability within two weeks at the beginning of this year.
Shortly after patching the flaw, the social media giant rewarded him $10,000 bug bounty for his efforts.
This is not the very first time when such vulnerability has been disclosed in Facebook that could have allowed attackers to delete any video from Facebook. Bug bounty hunters continuously find and report such bugs to keep the social media platform safe and secure.
The flaw has been discovered by security researcher Dan Melamed in June 2016, allowing him not only to remotely delete any video on Facebook shared by anyone without having any permission or authentication but also to disable commenting on the video of your choice.
Here's how to exploit this flaw:
In order to exploit this vulnerability, Melamed first created a public event on the Facebook page and uploaded a video on the Discussion part of the event.
While uploading the video, the researcher tampered the POST request using Fiddler and then replace the Video ID value of his video with Video ID value of any other video on the social media platform.
Although Facebook responded to this issue with a server error, i.e. "This content is no longer available," but the new video was successfully got posted and displayed just fine.
Once this task was accomplished, Melamed deleted his event post, which eventually deleted the attached video.
And guess what? This in turned removed the video from the social networking site and the wall of the victim.
"You will also notice in the drop down section that there is the option to "Turn off commenting." This allows you to disable commenting on the video of your choice," Melamed writes.
Video Demonstration
Melamed responsibly reported the vulnerability to the Facebook security team, which patched the vulnerability within two weeks at the beginning of this year.
Shortly after patching the flaw, the social media giant rewarded him $10,000 bug bounty for his efforts.
This is not the very first time when such vulnerability has been disclosed in Facebook that could have allowed attackers to delete any video from Facebook. Bug bounty hunters continuously find and report such bugs to keep the social media platform safe and secure.