An Indian security researcher, Arul Kumar recently discovers a security flaw on Facebook that allows hackers to delete any photo from a user’s account without his/her knowledge or permission via mobile devices. The bug is now fixed and Facebook reward Kumar with $12,500 for finding this critical vulnerability.
In Kumar’s blog, he reveals a way to remove photos from another user’s account without knowing the victim’s login information. Normally, user can request Facebook to remove a photo. If Facebook doesn’t remove it, the user can then appeal to the user who uploaded the photo to request taking it down. He/She will then receive a link with a one-click button to delete the image.
So where is the problem?
According to Kumar, the breach resides in the Support Dashboard on Facebook’s mobile domain. Kumar created two real Facebook IDs and logged in both account at the same time. On one end, he called it the “sender”; while the other called the “receiver.” He reported a photo as the “sender,” in the URL he inserted the photo ID value (a.k.a “cid” parameter) that he would like to remove, and the profile ID value (a.k.a “rid” parameter) of the person that the report supposed to go to (the “sender,” which in this case is also controlled by Kumar).
Microsoft is not the only tech giant who encourages hackers to resolve any vulnerability with bounty rewards. Facebook’s White Hat Program offers financial reward to experts who can locate any bug of their site. The minimum reward is $500, while there is no ceiling for the prize amount. It all depends on the severity of the bug.
However, as a reminder, Facebook strongly forbids researchers from testing their exploits on any real accounts. Couple weeks ago, an IT expert, Khalil Shreateh hacked Mark Zuckerberg’s timeline to prove his finding of a bug. As a result, he was disqualified to claim the reward. However, in Kumar’s case, he never actually tested on Mark’s account. The delete button has never been clicked.