Researcher claims $12,500 reward for finding Facebook photo bug

The flaw, which has been fixed, could allow a user to delete photos from someone else's account

A security researcher said Facebook will award him US$12,500 for finding a flaw that lets anyone remove photos from another person's profile.

The flaw was described on the blog of 21-year-old Arul Kumar, who lives in the state of Tamil Nadu in south India. Kumar wrote that Facebook initially thought it wasn't a flaw, but later reversed its position. The vulnerability has been fixed.

Users can request that Facebook remove a photo. If Facebook doesn't remove it, the user can appeal to the person on whose account it appears to take it down. If the person chooses, the photo can be deleted with a click.

Kumar said he found a way to allow the complainant to receive a link sent from Facebook that would remove the photo without knowledge of the person who had posted the picture. The flaw did not require knowing the victim's login and password.

The problem resides in a Support Dashboard on Facebook's mobile domain, Kumar wrote. He generated a form to report a photo, then in the URL inserted the photo ID value for the picture he wanted to remove, known as the "cid" parameter.

Kumar then substituted a Facebook user ID for an account he controlled in place of the ID for the person the report is supposed to go to, which is the "rid" parameter.

When the form is completed and sent, Facebook sends a link that allows the receiver to delete the photo. In Kumar's example, the link was sent to the account he controlled.

In a video demonstration, Kumar showed technical details of the flaw using a URL that would be generated if someone wanted to report one of Mark Zuckerberg's photos. But in line with Facebook's rules regarding security research, Kumar wrote that he used two test accounts to actually show how a photo could be deleted.

Facebook gives a minimum $500 reward to the first person who finds a valid security vulnerability. There is no upper limit, and Facebook may award much more depending on the bug's severity. The company did not immediately comment on the reward to Kumar.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags internetFacebooksocial networkingInternet-based applications and servicesExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?