Facebook Photo Vulnerability Fixed
September 5, 2013

Engineer Receives $12K For Finding, Reporting Facebook Photo Vulnerability

redOrbit Staff & Wire Reports - Your Universe Online

A security flaw that allowed hackers to delete photos from any Facebook member’s account has been fixed, and the man who found the vulnerability has been richly rewarded for his efforts, various media outlets have reported.

According to ZDNet’s Charlie Osborne, the flaw exploited the Facebook Support Dashboard, which is used to send Photo Removal requests to the social network. Those reports are typically reviewed either by Facebook employees or sent directly to the image’s owner, and a link is then generated that can be clicked by the owner to remove the image in question.

“However, while sending the message, two parameters – Photo_id & Owners Profile_id – are vulnerable. If modified, then the hacker could receive any photo removal link within their inbox, without the owner's interaction or knowledge,” she added. “Every photo has an ‘fbid’ value, which can be found through a Facebook URL. After the image ID has been secured, then two Facebook user accounts… can be used to receive a 'remove photo link'.”

The vulnerability was discovered by 21-year-old Indian engineer Arul Kumar, who explained in a blog entry how he was able to modify the two previously-mentioned parameters to receive any photo removal link in his email inbox – without any user interaction or notification from Facebook that the picture in question had been taken down.

By using the bug, Kumar said that he could remove any photo from any page – including verified accounts belonging to celebrities, and even that of Facebook founder Mark Zuckerberg himself. The flaw could also have been used to remove any shared or tagged photos, any picture from a status or photo album, any image in a business/organization page or group, and even photos from comments and/or suggested post advertisements.

Facebook has since closed the security flaw that made deleting those pictures possible, said CBS News writer Chenda Ngak, and Kumar was given a $12,500 reward for reporting it to the social media website’s security team. That reward was given as part of Facebook’s “white hat” program, which compensates hackers a minimum of $500 for tracking down and reporting vulnerabilities in the website.

TechCrunch’s Greg Kumparak called the incident “a nice example of how Facebook’s bounty program should work,” adding that the exorbitant amount of the reward was likely due to the fact that the bug was “really, really simple to reproduce… it would have been trivial to create a tool that allowed a malicious user to delete other user’s photos en masse.”