02 Sep 2013

Facebook Paid 12,500$ Bounty on Bug that Deleted User Photos

Facebook rewarded an Indian ethical hacker with a $12,500 bounty for a critical vulnerability that allowed anyone to delete photos without user interaction. 21-year-old Arul Kumar sent the social network a video proof-of-concept that exploited Mark Zuckerberg's profile and photos.

The bug allowed hackers to remove photos from any Facebook profile by exploiting the support dashboard, a portal designed to help users track the progress of the reports sent to the social network. From the Dashboard, users can see if their report has been reviewed by Facebook employees.

“This flaw exists while sending messages,” Arul Kumar wrote in a blog post. “I can manually modify Photo_id & Owners Profile_id so that I can able to receive any photo removal link to my inbox. It would be done without any user’s interaction. And also Facebook will not notify owner if his photo was removed.”

The vulnerability mainly existed on the mobile domain. If an image wasn’t removed by the Facebook team, users had the option to send a message with a Photo Removal Request to the owner. If users sent a fake message, the server automatically generated a removal link.

This was Kumar’s second reward this year from Facebook. The company already approved his 3 Open Redirectors vulnerability, which is eligible for $1,500.

Another Facebook headline these days concerns a cyber-attack against Mark Zuckerberg’s hacker. The Facebook account of Khalil Shreateh, a Palestinian security researcher who managed to breach Zuckerberg’s official account, was apparently hacked.