Indian engineer gets $12,500 bounty for finding a Facebook bug that let anyone delete pictures

06.15.13_technewsrprt_img_stories_regina-timothy_facebook

Recently, Facebook revealed that it paid over $1 million through its WhiteHat Bug Reporting Program whereby users are compensated for reporting any vulnerability that could be exploited on the social media site.

This is how Arul Kumar, an Indian electronics and communications engineer won a $12,500 bounty when he found and reported a critical vulnerability on Facebook that let any user delete photos from anyone’s account without the owner’s consent or knowledge.

Kumar found out that the mobile version of Facebook’s Support Dashboard, which allows users to flag and report a picture for removal, could be exploited to remove any photograph posted by any Facebook user. When a user sends a photo removal request through the Support Dashboard, usually Facebook takes a look and decides if it should be removed or not. If Facebook decides not to remove it, then the user has the option of sending a message to the user who has posted the picture with a request to remove the same picture. The request also contains a link, clicking on which leads to the removal of the photo.

“I can manually modify Photo_id & Owners Profile_id so that I can able to receive any photo removal link to my inbox,” said Kumar. “It would be done without any user’s Interaction. And also Facebook will not notify owner if his photo was removed.” As per Kumar, the same exploit could have been used for removing photos posted by even verified users, fan pages and groups and from status updates, photo albums, suggested posts and comments.

When Kumar first shared the vulnerability with Facebook, it was dismissed, with the Facebook security team unable to delete any pictures through the suggested hack. Following this, Kumar sent Facebook a proof of concept video demonstrating the bug through a dummy account. The second attempt was fruitful and the Facebook security team was able to see the vulnerability.

Share on TwitterShare on FacebookShare on LinkedInPin it on PinterestSubmit to redditSubmit to StumbleUponShare on Tumblr

Written by Regina Timothy

Editor of TechNews Report. Loves all things technology

Leave a Reply