The flaw has been discovered by security researcher Dan Melamed in June 2016, allowing him not only to remotely delete any video on Facebook shared by anyone without having any permission or authentication but also to disable commenting on the video of your choice.
Here's how to exploit this flaw:
In order to exploit this vulnerability, Melamed first created a public event on the Facebook page and uploaded a video on the Discussion part of the event.
While uploading the video, the researcher tampered the POST request using Fiddler and then replace the Video ID value of his video with Video ID value of any other video on the social media platform.
Although Facebook responded to this issue with a server error, i.e. "This content is no longer available," but the new video was successfully got posted and displayed just fine.
Once this task was accomplished, Melamed deleted his event post, which eventually deleted the attached video.
AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks
Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.Supercharge Your Skills
And guess what? This in turned removed the video from the social networking site and the wall of the victim.
"You will also notice in the drop down section that there is the option to "Turn off commenting." This allows you to disable commenting on the video of your choice," Melamed writes.
Melamed responsibly reported the vulnerability to the Facebook security team, which patched the vulnerability within two weeks at the beginning of this year.
Shortly after patching the flaw, the social media giant rewarded him $10,000 bug bounty for his efforts.
This is not the very first time when such vulnerability has been disclosed in Facebook that could have allowed attackers to delete any video from Facebook. Bug bounty hunters continuously find and report such bugs to keep the social media platform safe and secure.