How to delete any video on Facebook

All it takes is exploiting some exposed code to take control of any video on the social network.

screen-shot-2017-01-24-at-08-59-59.jpg
Screenshot via YouTube

A security researcher earned himself $10,000 after reporting a vulnerability which allowed attackers to hijack and delete any video they wished on Facebook.

On Monday, researcher Dan Melamed publicly disclosed the critical flaw, saying in a blog post that the bug allowed him to not only disable commenting on any video, but also delete them without permission or authentication.

Discovered back in June, the vulnerability is a very simple one to exploit as it only takes an attacker to intercept a piece of an exposed URL. In order to exploit the flaw, you visit or create a public event page, go to the Discussion tab and upload a photo or video.

The POST request for the upload then needs to be intercepted, and the vulnerable parameter "composer_ unpublished_ photo[0]= < video id="" >" can then be modified with the video ID of the content you wish to delete.

Once submitted, Facebook comes back with an error which states the content is no longer available, but the video will still be attached to the event. The victim's video can then be deleted once the event page has been refreshed and the event post has been deleted through the right-hand dropdown menu.

Roughly 30 seconds after, Facebook comes back with a warning which states: "You are about to delete this post. The video will also be removed from Photos and Videos."

The content will then be deleted without the need for permissions or authorization.

There is also the option in the same main tab to "Turn off commenting," which will also disable commenting on the video of your choice across the social network, rather than just on the event page.

The vulnerability was first discovered last year, and the bug was reported to the social media giant on 29 June, 2016. Facebook then requested a video demonstration as a proof-of-concept (PoC), which was provided in the same month.

The company then awarded Melamed $10,000 in July for reporting the problem.

If you're looking to try it out, you're out of luck as the vulnerability was patched before public disclosure. However, the bounty does highlight how the smallest flaws can have severe consequences on social media networks.