Engineer receives $12,500 bounty from Facebook for discovering picture deletion vulnerability

Sep 03, 2013 by Bob Yirka weblog

(Phys.org) —An electronics and communications engineer in India has been awarded a $12,500 bounty by Facebook for the discovery of a picture deleting vulnerability in the social network's Support Dashboard. Arul Kumar details on his blog how he found the vulnerability, how it works and his communications with Facebook regarding the find.

Facebook is serious about its user community following rules about what is posted on user and group pages. For that reason, they have added a section to the Support Dashboard for users that come across postings or pictures that break the rules so that they can be reported and removed. In looking at how Facebook handled such reports for objectionable photos, Kumar noticed that the code for sending the request could be viewed by the user making the request. He then discovered that the code could be modified as well. Normally, when a report is created it is sent to Facebook, where someone on staff looks at the picture in question and makes a judgment about whether to let it remain or to delete it. If they choose to let it remain, a message is created with a link in it and sent to the owner of the account that holds the photo. That person can then either choose to let the photo remain on their page, or can click the link to have it instantly removed.

Kumar found that he could alter the address to which the message would be sent, which meant he could have it sent to himself, rather than the account holder. Once the message was received, he was then free to click the link to delete the photo. That meant he could delete from any account, personal or group—even those posted by others on someone's page, without permission from them or Facebook, and without the knowledge of either. The owner of the page wouldn't know anything had occurred unless they happened to notice a photo missing on their page.

Kumar very carefully followed the rules Facebook has outlined for reporting vulnerabilities (he didn't remove pictures from real user accounts, for example) and was handsomely rewarded for his efforts. He reports that Facebook has subsequently fixed the .


Explore further: WikiLeaks says NSA spied on French business

Related Stories

Facebook fixes photo privacy bug

Dec 07, 2011

Facebook has fixed a bug that allowed the viewing of some private photographs of other members and which was reportedly used to access personal pictures of founder Mark Zuckerberg.

Recommended for you

New approach to online compatibility

2 hours ago

Many of the online social networks match users with each other based on common keywords and assumed shared interests based on their activity. A new approach that could help users find new friends and contacts with a greater ...

Most internet anonymity software leaks users' details

16 hours ago

Virtual Private Networks (VPNs) are legal and increasingly popular for individuals wanting to circumvent censorship, avoid mass surveillance or access geographically limited services like Netflix and BBC ...

WikiLeaks says NSA spied on French business

17 hours ago

WikiLeaks has released documents that it says show that the U.S. National Security Agency eavesdropped on France's top finance officials and high-stakes French export bids over a decade in what the group called targeted economic ...

Google gets extended deadline to answer EU case

19 hours ago

Brussels has given Google an extension until mid-August to answer an anti-trust case alleging that the tech giant abuses its search engine's market dominance, a company spokesman said Monday.

Facebook opens first Africa office

22 hours ago

Facebook announced Monday it had opened its first African office in Johannesburg as part of its efforts "to help people and businesses connect" on the continent.

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.