A SECURITY RESEARCHER has found a flaw in Facebook that lets hackers delete photos from other people's walls.
Arul Kumar, a 21 year old Indian engineer, has posted about his experience on his blog. He said that initially Facebook denied that it was a problem, but then, having seen a video proof of concept and tested the flaw, it changed its mind and agreed to pay the security bug bounty.
"I would like to share one of Critical Bug in facebook which leads to delete any photo from facebook without user interaction," he wrote.
"[The] Facebook team has recognized my bug after sending Video POC. Interesting Part is, In that Video I have Exploited Mark Zuckerberg's Photo from his Photo Album & I did not remove his photo. Now it has been fixed fully & Facebook has rewarded me 12,500$(US Dollars) for finding this Critical Bug."
Kumar exploited the Facebook system via its mobile version and its support webpages. He found that he was able to delete photos from a user's account without the owner's intervention and without the social network notifying anyone.
"I can manually modify Photo_id & Owners Profile_id so that I can able to receive any photo removal link to my inbox," said Kumar. "It would be done without any user's Interaction. And also Facebook will not notify owner if his photo was removed."
Owners mentioned by the security researcher include Facebook CEO Mark Zuckerberg and the rapper Eminem.
Before he shared his video with the firm Kumar had his warning batted away. "Yeah I messed around with this for the last 40 minutes but cannot delete any victims photos," read his first response from the firm. "All I can do is if the victim clicks the links and chooses to remove the the [sic] photo it will be removed which is not a security vuln obviously."
The firm changed its tune after seeing the video proof of concept. The bug has been fixed and Kumar is $12,500 better off.
In August we heard about the other side of Facebook bug reporting. Researcher Khalil Shreateh posted about Facebook security problem directly to Mark Zuckerberg's public Facebook wall, but was denied a bug bounty payout by the firm. µ
Sign up for INQbot – a weekly roundup of the best from the INQ