MouthShut.com Would Like to Send You Push Notifications. Notification may includes alerts, activities & updates.

OTP Verification
Wrong Number?

Enter 4-digit code
Resend OTP
For Business

Article Rated By

Home> Dhanashri_7's Profile > Dhanashri_7's Articles > Indian engineer gets $12,500 bounty for finding a Facebook bug that let anyone delete pictures

Indian engineer gets $12,500 bounty for finding a Facebook bug that let anyone delete pictures

By: Dhanashri_7 | Posted Sep 03, 2013 | General | 1192 Views

Facebook had a security bug that could be exploited to delete any image on the social networking site posted by anyone, without the original poster's knowledge and approval.


Interestingly, an Indian electronics and communications engineer, Arul Kumar, discovered this vulnerability and shared it with Facebook under its Whitehat bug reporting program, winning a $12,500 bounty in the process.


The 21-year old engineer from Tamil Nadu, discovered that the mobile version of Facebook's Support Dashboard, which allows users to flag and report a picture for removal, could be exploited to remove any photograph posted by any Facebook user.


When a user sends a photo removal request through the Support Dashboard, usually Facebook takes a look and decides if it should be removed or not. If Facebook decides not to remove it, then the user has the option of sending a message to the user who has posted the picture with a request to remove the same picture. The request also contains a link, clicking on which leads to the removal of the photo.


Kumar discovered that while sending a removal request, a user can manually modify the Photo_id and the photo owner's Profile_id parameters, following which the photo removal link can be sent to one's own Facebook ID and used to delete the photo without the original uploader's knowledge. Using the same method, any picture on Facebook could be deleted without the involvement of the user who originally posted the picture.


As per Kumar, the same exploit could have been used for removing photos posted by even verified users, fan pages and groups and from status updates, photo albums, suggested posts and comments.


When Kumar first shared the vulnerability with Facebook, it was dismissed, with the Facebook security team unable to delete any pictures through the suggested hack. Following this, Kumar sent Facebook a proof of concept video demonstrating the bug through a dummy account. The second attempt was fruitful and the Facebook security team was able to see the vulnerability.


source:https://goo.gl/PNqapN -ndtv


You loved this blog. Thank you for your rating.
Dhanashri
@Dhanashri_7
X