In June 2016, A security researcher named Dan Melamed found a flaw in facebook which would not only allow an attacker to delete any video he wanted but also disable comments on that specific video. He has played with this vulnerability and reported it to the facebook.
Last year, a very similar vulnerability was found by Pranav Hivarekar, another security researcher who identified it and it provides a way to attach the victim’s video to a comment in order to delete the video.
Dan Melamed’s method is more complicated and it exposes a serious vulnerability in facebook. So here is how it works: He visited any public event on Facebook or created a public event, went to the Discussion tab and created an event post by uploading a video or photo.
While he is uploading the video, Melamed made changes to the POST request and replaced Video ID value on his video with Video ID value of the other video on the social media platform. In this case, we are here talking about the victim’s video he wanted deleted. Facebook reacts by displaying an error that says the content is no longer available. However, the video gets posted successfully.
The researcher then deleted his event post, which deletes the attached video as well. Due to the bug he discovered, the original video also gets removed from Facebook.
Since he also mentions that he discovered a way to disable commenting on any video, he goes on to add that there’s a drop-down section where you can find “Turn off commenting,” which allows you to disable commenting on the video of your choice. Melamed made a recording about how the bug works and posted it on his blog; you can find it included below.
