Sometimes the biggest exploits come from the smallest places.
This turned out to be the case for Facebook, as researcher/computer whiz Dan Melamed managed to find a simple trick allowing a user to turn off comments – or outright delete – videos uploaded by someone else.
The exploit Melamed reported is deceptively straightforward. The basic explanation is that while uploading their own video to an event page, the user can change the video’s ID number mid-post to that of another user’s video.
This results in the targeted video being uploaded instead – along with the unintended user now having control over it. This would allow them to either disable comments or delete the video entirely as if they were authorized by the video’s original owner.
While that might be a blessing to anyone with a compromising video of them online from that craaazy New Year’s party or anything else best kept off of Facebook, Melamed saw the potential harm in the bug and demonstrated it to the social media giant so that it could be patched.
The icing on the cake? For his efforts, Melamed was awarded a $10,000 bounty by Facebook shortly after showing the company the exploit.
Even though Melamed reported the bug last summer, you can now see the so-called hack in motion in the video below: