Sometimes the biggest exploits come from the smallest of places.
This turned out to be the case for Facebook, as researcher/computer whiz Dan Melamed managed to find a simple trick that lets a user turn off comments – and outright delete – videos uploaded by someone else.
The exploit Melamed reported is deceptively straightforward. The basic explanation is that while uploading their own video to an event page, a user can change the video's ID number mid-post to that of another user's video.
This results in the targeted video being uploaded instead, along with the unintended user now having control over it. This would allow them to either disable comments or delete the video entirely, just as if they were authorized by the video's original owner.
While that might be a blessing to anyone with a compromising video of them online from that crazy New Year's party or anything else best kept off Facebook, Melamed saw the potential harm in the bug and demonstrated it to the social media giant so it could be patched.
The icing on the cake? For his efforts, Melamed was awarded a $10,000 bounty by Facebook shortly after showing the social media company the exploit.
Even though Melamed reported the bug last summer, you can now see the so-called hack in motion in the video below:
- Here are some advanced Facebook security tips