Menu
Researcher claims $12,500 reward for finding Facebook photo bug

Researcher claims $12,500 reward for finding Facebook photo bug

The flaw, which has been fixed, could allow a user to delete photos from someone else's account

A security researcher said Facebook will award him US$12,500 for finding a flaw that lets anyone remove photos from another person's profile.

The flaw was described on the blog of 21-year-old Arul Kumar, who lives in the state of Tamil Nadu in south India. Kumar wrote that Facebook initially thought it wasn't a flaw, but later reversed its position. The vulnerability has been fixed.

Users can request that Facebook remove a photo. If Facebook doesn't remove it, the user can appeal to the person on whose account it appears to take it down. If the person chooses, the photo can be deleted with a click.

Kumar said he found a way to allow the complainant to receive a link sent from Facebook that would remove the photo without knowledge of the person who had posted the picture. The flaw did not require knowing the victim's login and password.

The problem resides in a Support Dashboard on Facebook's mobile domain, Kumar wrote. He generated a form to report a photo, then in the URL inserted the photo ID value for the picture he wanted to remove, known as the "cid" parameter.

Kumar then substituted a Facebook user ID for an account he controlled in place of the ID for the person the report is supposed to go to, which is the "rid" parameter.

When the form is completed and sent, Facebook sends a link that allows the receiver to delete the photo. In Kumar's example, the link was sent to the account he controlled.

In a video demonstration, Kumar showed technical details of the flaw using a URL that would be generated if someone wanted to report one of Mark Zuckerberg's photos. But in line with Facebook's rules regarding security research, Kumar wrote that he used two test accounts to actually show how a photo could be deleted.

Facebook gives a minimum $500 reward to the first person who finds a valid security vulnerability. There is no upper limit, and Facebook may award much more depending on the bug's severity. The company did not immediately comment on the reward to Kumar.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securityinternetFacebooksocial networkingInternet-based applications and servicesExploits / vulnerabilities

Featured

Slideshows

Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Tech industry comes together as Lexel celebrates turning 30

Tech industry comes together as Lexel celebrates turning 30

Leading figures within the technology industry across New Zealand came together to celebrate 30 years of success for Lexel Systems, at a milestone birthday occasion at St Matthews in the City.​

Tech industry comes together as Lexel celebrates turning 30
Show Comments