An Indian electronics and communications engineer who describes himself as a “security enthusiast with a passion for ethical hacking” has discovered a Facebook vulnerability that could have allowed for any photo on the site to be deleted without the owner’s knowledge.
Arul Kumar, a 21 year old from Tamil Nadu, discovered that he could delete any Facebook image within a minute, even from verified pages, all without any interaction from the user.
For his efforts in reporting the vulnerability to Facebook’s whitehat bug bounty program Kumar received a reward of $12,500.
The vulnerability that he discovered was based around exploiting the mobile version of the social network’s Support Dashboard, a portal that allows users to track the progress of any reports they make to the site, including highlighting photos that they believe should be removed.
When such a request is submitted, and Facebook does not remove the photo in question, the user has the option of messaging the image owner directly with a photo removal request.
Doing so causes Facebook to generate a photo removal link which is then sent to the recipient of the message (the photo owner). The owner can then opt to click on that link to remove the image.
Kumar discovered that a couple of parameters within this message – ‘photo_id’ and ‘Owners Profile_id’ – could be easily modified.
With this information he then sent a photo removal request for an unrelated image on another account that he controlled. By changing the two parameters in the message received by the second account, Kumar could then choose to delete any image from any user on the network.
The victim of this photo removal technique would not be involved in the process in any way and wouldn’t receive any messages from Facebook – indeed the first they would know of this would be when they logged in to discover their photo(s) had disappeared.
Read the rest here.