Dan Melamed has uploaded a video in which he shares how he can delete any video present on Facebook. Of the hundreds of thousands of hours that users spend on Facebook every day, videos of kittens, funny falls and magic tricks increasingly represent a greater portion in the time that we dedicate to this social network. But someone has had in their hands the possibility of throwing down virtually any video posted on the social network.
Dan Melamed, a computer security expert at New York University, has discovered by chance that Facebook has a way to take control of any video posted on the social network, regardless of who uploaded it. Simply touch up a piece of code and add a couple of numbers; From that moment, it is possible to have absolute control of any video uploaded by another person.
Melamed realized this Facebook security flaw while he was uploading a video to his social networking page. At that time, while the video was being sent to Facebook servers, our protagonist noticed a flashy code snippet that managed to arouse his interest.
What this security expert discovered led by curiosity was a failure that could have supposed absolute chaos in the social network. And the worst thing about it is that it is not the first time that something similar happens on Facebook, but this time the failure passes through a completely different security hole – easier still to carry out.
As proved – and demonstrated in video – Melamed using an invented victim, Facebook – a security bug that allowed to take advantage of the upload of a new video to supplant the identity of any other video posted on the social network.
To impersonate any video of another person, it was enough to interrupt the upload of a new video to replace a snippet of code with the number that identifies the video of our victim; From that moment, all the management of the video is in the hands of the attacker. The attacker could block all comments to erase the video completely, all with the same ease as if it were a video uploaded from its own account.
The code fragment that allowed us to take advantage of this security hole was not exactly difficult to understand: in the part of composer_unpublished_photo  = Video ID , a piece of code that appears while uploading a video to the social network, that Melamed did was to change the word “Video ID” by the ID of the victim’s video.
Fortunately for everyone, Facebook has already solved the security bug that allowed to delete any video. The good guy Dan Melamed preferred to get in touch with the social network rather than squeeze the ruling in his favor, and in return received the not inconsiderable sum of $10,000 by Mark Zuckerberg’s team.
The security bug in question was reported at the end of June last year 2016, and by mid-July Facebook had already solved the problem. Zuckerberg’s may not be as transparent as they should be on certain issues, but it can not be denied that security of the social network is often taken very seriously.