Indian researcher Arul Kumar discovered a flaw on Facebook that would have allowed hackers to delete any posted photo they wanted on the site. Through the site’s White Hat program, Kumar has been paid $12,500 for his efforts.
The bug worked by exploiting Facebook’s Support Dashboard, and functioned on any browser and with any version of Facebook. According to Kumar, the bug was actually most effective on mobile devices. The Facebook Support function allows users to send Photo Removal requests to the site, which are reviewed by employees who can then send a link or report back to the user allowing them to remove the image.
However, this bug allows hackers to receive the “delete photo” link themselves without the actual owner of the image ever finding out. Malicious hackers could essentially exploit the code by changing a few numerals in a page’s URL to send the “delete photo” link to themselves, and could take down photos on individual profiles, group pages, fan pages and more. It’s a frighteningly simple bug, and that’s most likely why Kumar received such a hefty payday; the minimum bug bounty paid out by Facebook is $500, and the average is typically around $1,500.
Recommended Resources
Safego is a Facebook application you can install that will scan your News Feed and help keep you safe from scams on Facebook.
PRIVATE WiFi® is a Personal
VPN that encrypts everything you send and receive. Don’t access Facebook from a public WiFi hotspot without it.
SocialSafe helps you to create your library of you. It’s the safest place for your online life. Downloaded to
your computer, auto organised and instantly searchable. Supports most major social networks.
Previous post
Next post
