Security researcher Dan Melamed figured out a clever way to delete any video on Facebook earlier this year, and the social network rewarded him with $10,000 for responsibly reporting his hack.
Melamed’s method is shockingly simple and relied on an exposed piece of a URL that he was able to intercept while uploading a video to a Facebook page that he’d created. While uploading a dummy video, Melamed intercepted the request sent to post the video and grabbed this parameter:
composer_unpublished_photo[0]=<Video ID>
The “Video ID” portion refers to the identifying code of the video that Melamed was uploading. When he had intercepted this request, Melamed could change the Video ID portion to be the Video ID of any video that currently existed on Facebook and continue to upload his video. This meant that Melamed could change the parameters halfway through the upload and send a different video up to the Facebook servers during the upload process. Once the ID was modified, Facebook would display an error, but the video was still uploaded successfully.
Now, Melamed gained total control over the video he just uploaded, even though the video wasn’t his. Melamed had the same control over the video that he would have if he had just uploaded it himself, even though he wasn’t the original uploader of the video. That meant that Melamed could modify the video’s setting so that comments were disabled—or even better—he could delete the video entirely.
It’s quite the nifty hack, and if you’re excited to try it out, I’ve got bad news. Facebook has already patched it.
Sometimes the hacks that are simple and easy, like this one, can have massive consequences. Who knows how many black hat hackers figured this out and nuked videos from Facebook servers before Melamed came along. Nevertheless, reporting an exploit like this is still a cool way to pocket $10,000.