A security researcher said Facebook will award him US$12,500 for finding a flaw that lets anyone remove photos from another person’s profile.
The flaw was described on the blog of 21-year-old Arul Kumar, who lives in the state of Tamil Nadu in south India. Kumar wrote that Facebook initially thought it wasn’t a flaw, but later reversed its position. The vulnerability has been fixed.
Users can request that Facebook remove a photo. If Facebook doesn’t remove it, the user can appeal to the person on whose account it appears to take it down. If the person chooses, the photo can be deleted with a click.
Kumar said he found a way to allow the complainant to receive a link sent from Facebook that would remove the photo without knowledge of the person who had posted the picture. The flaw did not require knowing the victim’s login and password.
The problem resides in a Support Dashboard on Facebook’s mobile domain, Kumar wrote. He generated a form to report a photo, then in the URL inserted the photo ID value for the picture he wanted to remove, known as the “cid” parameter.
Kumar then substituted a Facebook user ID for an account he controlled in place of the ID for the person the report is supposed to go to, which is the “rid” parameter.
When the form is completed and sent, Facebook sends a link that allows the receiver to delete the photo. In Kumar’s example, the link was sent to the account he controlled.
In a video demonstration, Kumar showed technical details of the flaw using a URL that would be generated if someone wanted to report one of Mark Zuckerberg’s photos. But in line with Facebook’s rules regarding security research, Kumar wrote that he used two test accounts to actually show how a photo could be deleted.
Facebook gives a minimum $500 reward to the first person who finds a valid security vulnerability. There is no upper limit, and Facebook may award much more depending on the bug’s severity. The company did not immediately comment on the reward to Kumar.