Like most big tech companies, Facebook has a bug bounty program. When a security researcher finds a vulnerability in a Facebook product, he or she can report it and earn a nice reward.
Some of the vulnerabilities that get reported require a number complex steps to be exploited. Others, not so much. The one Dan Melamed discovered that allowed him to delete any video on Facebook falls into the second group.
Melamed discovered a flaw in the system that allows you to post comments to a Facebook event. If the event was public (he could simply create a new public event instead of going to look for one) and he attached a video to his comment, he could then delete that comment and the video would disappear with it.
Though Facebook asked to confirm the deletion, there was no check in place to see if the video was even his to delete in the first place.
The problem, he notes in a blog post, was a single hidden form field. That field (composer_unpublished_photo[0]) pointed to the video. By intercepting the form submission and swapping the video ID tied to that field, Melamed was able to delete any Facebook video he wanted.
Melamed made his discovery last June and demonstrated it to Facebook's security team. They asked him to confirm the bug by deleting a video from one of their test accounts, which he did. Satisfied that this was something that definitely needed to be fixed, Facebook thanked Melamed for his efforts by sending him a check for $10,000.
Don't worry, your videos are safe from Melamed's exploit: Facebook fixed the problem quite some time ago.
So just how often does this sort of thing happen? A lot more often than you might think.
Facebook receives thousands of vulnerability disclosures every year. Payouts range from $2,000 to more than $30,000 depending on the severity of the bug.
They say they're "grateful to all the researchers around the world who have taken the time to evaluate our services and report bugs" and note that "most submissions end up not being valid issues." Nevertheless, Facebook treats them like they are until they've been fully analyzed. The security of a billion-plus users is too important to take any chances.
