Engineer receives $12,500 bounty from Facebook for discovering picture deletion vulnerability

Sep 03, 2013 by Bob Yirka weblog

(Phys.org) —An electronics and communications engineer in India has been awarded a $12,500 bounty by Facebook for the discovery of a picture deleting vulnerability in the social network's Support Dashboard. Arul Kumar details on his blog how he found the vulnerability, how it works and his communications with Facebook regarding the find.

Facebook is serious about its user community following rules about what is posted on user and group pages. For that reason, they have added a section to the Support Dashboard for users that come across postings or pictures that break the rules so that they can be reported and removed. In looking at how Facebook handled such reports for objectionable photos, Kumar noticed that the code for sending the request could be viewed by the user making the request. He then discovered that the code could be modified as well. Normally, when a report is created it is sent to Facebook, where someone on staff looks at the picture in question and makes a judgment about whether to let it remain or to delete it. If they choose to let it remain, a message is created with a link in it and sent to the owner of the account that holds the photo. That person can then either choose to let the photo remain on their page, or can click the link to have it instantly removed.

Kumar found that he could alter the address to which the message would be sent, which meant he could have it sent to himself, rather than the account holder. Once the message was received, he was then free to click the link to delete the photo. That meant he could delete from any account, personal or group—even those posted by others on someone's page, without permission from them or Facebook, and without the knowledge of either. The owner of the page wouldn't know anything had occurred unless they happened to notice a photo missing on their page.

Kumar very carefully followed the rules Facebook has outlined for reporting vulnerabilities (he didn't remove pictures from real user accounts, for example) and was handsomely rewarded for his efforts. He reports that Facebook has subsequently fixed the .


Explore further: No reward for hacking Zuckerberg Facebook page

Related Stories

Facebook fixes photo privacy bug

Dec 07, 2011

Facebook has fixed a bug that allowed the viewing of some private photographs of other members and which was reportedly used to access personal pictures of founder Mark Zuckerberg.

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 0

More news stories

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

Treating depression in Parkinson's patients

A group of scientists from the University of Kentucky College of Medicine and the Sanders-Brown Center on Aging has found interesting new information in a study on depression and neuropsychological function in Parkinson's ...