Facebook offered $12,500 to security researcher for finding critical photo bug.

An Indian security researcher, Arul Kumar recently discovers a security flaw on Facebook that allows hackers to delete any photo from a user’s account without his/her knowledge or permission via mobile devices. The bug is now fixed and Facebook reward Kumar with $12,500 for finding this critical vulnerability.

Facebook photo bug allows hackers to delete other's photo without permission.

Facebook photo bug allows hackers to delete other’s photo without permission.

In Kumar’s blog, he reveals a way to remove photos from another user’s account without knowing the victim’s login information. Normally, user can request Facebook to remove a photo. If Facebook doesn’t remove it, the user can then appeal to the user who uploaded the photo to request taking it down. He/She will then receive a link with a one-click button to delete the image.

So where is the problem?

According to Kumar, the breach resides in the Support Dashboard on Facebook’s mobile domain. Kumar created two real Facebook IDs and logged in both account at the same time. On one end, he called it the “sender”; while the other called the “receiver.” He reported a photo as the “sender,” in the URL he inserted the photo ID value (a.k.a “cid” parameter) that he would like to remove, and the profile ID value (a.k.a “rid” parameter) of the person that the report supposed to go to (the “sender,” which in this case is also controlled by Kumar).

On Kumar’s blog, he described how to delete other user’s photo with him/her knowledge.

Microsoft is not the only tech giant who encourages hackers to resolve any vulnerability with bounty rewards. Facebook’s White Hat Program offers financial reward to experts who can locate any bug of their site. The minimum reward is $500, while there is no ceiling for the prize amount. It all depends on the severity of the bug.

However, as a reminder, Facebook strongly forbids researchers from testing their exploits on any real accounts. Couple weeks ago, an IT expert, Khalil Shreateh hacked Mark Zuckerberg’s timeline to prove his finding of a bug. As a result, he was disqualified to claim the reward. However, in Kumar’s case, he never actually tested on Mark’s account. The delete button has never been clicked.

Advertisements

Facebook Vulnerability Targets Mark Zuckerberg’s Timeline

After numerous attempts at contacting Facebook’s support team, IT expert Khalil Shreateh used a bug he’d discovered to post a very public message on Facebook founder Mark Zuckerberg’s Timeline. The message has since been removed, but the vulnerability allows users to post to anyone’s wall, regardless if they are not friends.

Shreateh, as noted in his blog post about the bug, tested it and submitted the bug to Facebook’s Whitehat disclosure service – one that awards users who discover security vulnerabilities $500+ per successful bug discovery. A Facebook engineer replied to Shreateh’s submission by saying “This is not a bug.”

In response to the engineer’s immediate dismissal, Shreateh used the vulnerability to post to Mark Zuckerberg’s wall with details of the bug. Within minutes, Shreateh’s account was temporarily disabled. Facebook had to acknowledge his discovery, but refused to pay for his discovery on the premise that the methods he used to unveil it violated Facebook’s Terms of Service.

The bug has since been fixed, but Facebook stands its ground in withholding any reward from Shreateh. Facebook’s Whitehat page notifies all uses that in order to be eligible for the bounty program, users must use test accounts and adhere to existing privacy policy: “If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you.”

Bounty programs have become standard in the tech community. Rewards can often be quite substantial. Microsoft recently launched a program that offers up to $150,000 for newly discovered vulnerabilities.

Microsoft Offers Bounty to Hackers

Beginning June 26th, Microsoft will launch two rewards programs, aimed toward increasing PC security in machines running Windows 8. The tech giant is offering rewards as high as $150,000 to hackers who can locate and resolve any vulnerabilities.

Hackers as young as 14 years old are eligible to enter. Windows is the predominant operating system throughout the world, and security measures already in place will prove to be difficult to break through for hackers looking for security vulnerabilities.

A rewards system this substantial is sure to attract the world’s top hacking talent. Microsoft is offering $100,000 to anyone who can identify major flaws, and an addition $50,000 for a working solution. Additionally, they are offering $11,000 rewards to anyone who finds a major vulnerability in the beta version of Internet Explorer 11.