Researcher claims $12,500 reward for finding Facebook photo bug

The flaw, which has been fixed, could allow a user to delete photos from someone else's account

A security researcher said Facebook will award him US$12,500 for finding a flaw that lets anyone remove photos from another person's profile.

The flaw was described on the blog of 21-year-old Arul Kumar, who lives in the state of Tamil Nadu in south India. Kumar wrote that Facebook initially thought it wasn't a flaw, but later reversed its position. The vulnerability has been fixed.

Users can request that Facebook remove a photo. If Facebook doesn't remove it, the user can appeal to the person on whose account it appears to take it down. If the person chooses, the photo can be deleted with a click.

Kumar said he found a way to allow the complainant to receive a link sent from Facebook that would remove the photo without knowledge of the person who had posted the picture. The flaw did not require knowing the victim's login and password.

The problem resides in a Support Dashboard on Facebook's mobile domain, Kumar wrote. He generated a form to report a photo, then in the URL inserted the photo ID value for the picture he wanted to remove, known as the "cid" parameter.

Kumar then substituted a Facebook user ID for an account he controlled in place of the ID for the person the report is supposed to go to, which is the "rid" parameter.

When the form is completed and sent, Facebook sends a link that allows the receiver to delete the photo. In Kumar's example, the link was sent to the account he controlled.

In a video demonstration, Kumar showed technical details of the flaw using a URL that would be generated if someone wanted to report one of Mark Zuckerberg's photos. But in line with Facebook's rules regarding security research, Kumar wrote that he used two test accounts to actually show how a photo could be deleted.

Facebook gives a minimum $500 reward to the first person who finds a valid security vulnerability. There is no upper limit, and Facebook may award much more depending on the bug's severity. The company did not immediately comment on the reward to Kumar.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Topics: Internet-based applications and services, security, social networking, internet, Exploits / vulnerabilities, Facebook
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?