Facebook’s bug bounty program has shown itself to be a valuable program that has saved users of the popular social media platform from potential security breaches that could have exposed our personal data to hackers.
The Facebook bug bounty reward has always ensured that there are security researchers always on the lookout for potential bugs that could allow unauthorized access to our private files. Not too long ago, a bug which would have allowed anyone delete our Facebook photos was recently discovered by a bounty hunter. Now it has been revealed that another bug that would have allowed any stranger access to our uploaded videos so they could delete them without permission.
The bug was discovered by Security Researcher Dan Melamed and it was just hovering around the way Facebook handles videos attached to events. Melamed discovered the pretty simple method around June last year and it involves changing the Video ID of the video that is being uploaded and swapping it with the ID of an already existing video on Facebook. By doing that, Facebook displays an error but that doesn’t stop the video from being uploaded anyway. Curiously, the uploader succeeds in uploading his own video but it now bears the same Video ID as the one being targeted on Facebook. When this happens, the hacker can then delete the other person’s video and even disable comments on the target video post right from his account by performing the same action on his own uploaded video.
Now for those who want to try it out, I’ve got bad news for you – Facebook already patched it. But who knows, maybe you can check if this also exists in other parts of the social network like the Facebook marketplace.
You can see that it is a relatively simple bug, but one that could cause lots of damages if it gets into the hands of a mischievous person. It can go unnoticed for a long time because of the large codebase where Facebook is built. Victims would just keep wondering what happened to their videos and the comments section without knowing their account has been compromised. Thankfully, Melamed did contact Facebook about the bug and it has since been fixed. For his sweat and time, he got rewarded with $10,000.