The Indian researcher Arul Kumar has been rewarded for spotting a security flaw on Facebook that allowed hackers to delete any image being stored on the social networking site.
On his blog he explained in full detail the Facebook flaw, which exploits the Facebook Support Dashboard. It was classed as “critical” and was most successful when applied to mobile devices, although the bug also applied to any browser and version.
Normally the Facebook Support Dashboard works by sending Photo Removal requests to the company. These requests, after being reviewed by Facebook employees, result in a link being generated for the owner to click and remove the photo. Where the process went wrong was when the message was sent, two parameters were vulnerable. This meant the hacker could modify these and receive any photo removal link in their own inbox, without the owner even knowing.
Kumar said that as a result of the flaw, any photo could be removed from pages and users, shared and tagged images could be deleted and photos could be removed from groups, pages and suggested posts.
Facebook’s Bug Bounty program, which encourages researchers to report what they find for a financial reward, has given Mr Kumar $12,500 for his findings. It has also fixed the bug.
[Image via quickbytes]