Indian researcher Arul Kumar discovered a flaw on Facebook that would have allowed hackers to delete any posted photo they wanted on the site. Through the site’s White Hat program, Kumar has been paid $12,500 for his efforts.
The bug worked by exploiting Facebook’s Support Dashboard, and functioned on any browser and with any version of Facebook. According to Kumar, the bug was actually most effective on mobile devices. The Facebook Support function allows users to send Photo Removal requests to the site, which are reviewed by employees who can then send a link or report back to the user allowing them to remove the image.
However, this bug allows hackers to receive the “delete photo” link themselves without the actual owner of the image ever finding out. Malicious hackers could essentially exploit the code by changing a few numerals in a page’s URL to send the “delete photo” link to themselves, and could take down photos on individual profiles, group pages, fan pages and more. It’s a frighteningly simple bug, and that’s most likely why Kumar received such a hefty payday; the minimum bug bounty paid out by Facebook is $500, and the average is typically around $1,500.