Some Guy Figured Out How to Delete Any Video on Facebook

Image: Getty

Security researcher Dan Melamed figured out a clever way to delete any video on Facebook earlier this year, and the social network rewarded him with $10,000 for responsibly reporting his hack.

Melamed’s method is shockingly simple and relied on an exposed piece of a URL that he was able to intercept while uploading a video to a Facebook page that he’d created. While uploading a dummy video, Melamed intercepted the request sent to post the video and grabbed this parameter:

Advertisement

composer_unpublished_photo[0]=<Video ID>

The “Video ID” portion refers to the identifying code of the video that Melamed was uploading. When he had intercepted this request, Melamed could change the Video ID portion to be the Video ID of any video that currently existed on Facebook and continue to upload his video. This meant that Melamed could change the parameters halfway through the upload and send a different video up to the Facebook servers during the upload process. Once the ID was modified, Facebook would display an error, but the video was still uploaded successfully.

Now, Melamed gained total control over the video he just uploaded, even though the video wasn’t his. Melamed had the same control over the video that he would have if he had just uploaded it himself, even though he wasn’t the original uploader of the video. That meant that Melamed could modify the video’s setting so that comments were disabled—or even better—he could delete the video entirely.

It’s quite the nifty hack, and if you’re excited to try it out, I’ve got bad news. Facebook has already patched it.

Advertisement

Sometimes the hacks that are simple and easy, like this one, can have massive consequences. Who knows how many black hat hackers figured this out and nuked videos from Facebook servers before Melamed came along. Nevertheless, reporting an exploit like this is still a cool way to pocket $10,000.

[Dan Melamed]

Advertisement

Share This Story

About the author

William Turton

Staff Writer, Gizmodo | Send me tips: william.turton@gizmodo.com

TwitterPosts
PGP Fingerprint: 88DF AB75 FAFC 1D10 4C45 A875 CA45 ABE6 B08D 8E52PGP Key
OTR Fingerprint: 47F02E79 399AB8FA CC2A4DEF 4573B25F 18AB41D2