Security enthusiast age 21 from India found a vulnerability that allowed anyone to delete any photo on Facebook – Earns $12,500 bounty

Facebook security is challenged again to check how weak their security team is and how low they pay for bug hunters.  An engineer student Arul Kumar 21 from India discovered a security vulnerability on Facebook which can delete anyone’s pictures. Arul is a security enthusiast who submitted the code with proof of concept yesterday.

The security issue was based on exploiting the mobile version of the social network’s Support Dashboard, a portal that allows users to track the progress of any reports, including highlighting photos that they believe should be removed.

As per Kumar’s blog  on technical explanation  “The Support Dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week.

Mainly this Flaw exists on Mobile domain.In Support Dashboard,If any reported photo was not removed by facebook team,user has the other option to send Photo Removal Request to owner via messages.If users sends a claim message,Facebook Server Will automatically generate Photo removal Link & it will send to the Owner.If Owner clicks that link,Photo will be removed.

This flaw exists while sending message.I can manually modify Photo_id & Owners Profile_idso that I can able to receive any photo removal link to my inbox.It would be done without any user’s Interaction.And also Facebook will not notify owner if his photo was removed”

Kumar explained that the exploit could be used to remove photos from any verified user, pages or groups as well as from statuses, photo albums, suggested posts and even comments.

Conditions for exploiting the bug :

i)                     We need two Facebook accounts to delete anyone’s Photo Permanently. One account will act as “Sender” to send claim message.Another account will act as “Receiver” who receives Photo removal Link from sender.

ii)             Before deleting a Photo,We should gathert photo_id (fbid) which we need to remove and also profile_id of receiver to receive Photo Removal message.

As per Arul’s blog initially facebook Security team couldn’t validate the finding.

From facebook :

“Yeah I messed around with this for the last 40 minutes but cannot delete any victims photos. All I can do is if the victim clicks the links and chooses to remove the the [sic] photo it will be removed which is not a security vuln obviously.”

Later Arul explained with proof of concept with a detailed video which helped fb to confirm it. Video  : http://vimeo.com/73482820

“Ok found the bug, fixing the bug. The fix should be live sometime early tomorrow.

 

I will let you know when it is live so you can retest. Wanted to say your video was very good and helpful, I wish all bug reports had such a video 🙂 “

Its funny that Facebook team couldn’t validate the issue however paying only 12,500$ for such a critical bug is lot lesser considering its impact if a hacker discovered it for evil purpose.

Share Button
Tagged with 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>