Today bounty programs have become the common norm adopted by large tech giants. These programs promise to reward the researchers handsomely on the magnitude of the bug and at the same time safeguard the large platforms. Facebook, the world’s largest social network is not an exception and according to the latest news, it has paid security researcher Arul Kumar $12,500 — roughly 25x the base bounty for unearthing a lethal bug that lets anyone delete just about any photo from Facebook.
Twenty one year old Arul, who belongs to Tamil Nadu, has shared the entire story on his blog. The security enthusiast shared that the critical bug that he reported allowed any user to delete any photo from Facebook without user interaction.
Detailing more about the entire workaround, Arul says that the flaw existed on the mobile domain and shared that:
The Support Dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week.
If any reported photo was not removed by Facebook team, user has the other option to send Photo Removal Request to owner via messages. If users sends a claim message, Facebook Server Will automatically generate Photo removal Link & it will send to the Owner. If Owner clicks that link, photo will be removed.
This flaw exists while sending message. I can manually modify Photo_id & Owners Profile_id so that I am able to receive any photo removal link to my inbox. It would be done without any user’s Interaction and also Facebook will not be able to notify owner if his photo was removed.
In layman terms, one had the power to remove any photo from verified real users & Pages such as Mark Zuckerberg, etc.
Initially the Facebook team failed to recognize the bug so Arul went ahead and provided a detailed step by step analysis to reproduce the bug and sent them Video Proof of Concept in which he clearly explains the bug with the help of demo accounts. In fact in the video, he chooses to exploit Mark Zuckerberg’s Photo from his Photo Album but he did no harm.
Unlike security researcher Khalil Shreateh who recently discovered a Facebook bug that allowed a hacker to post on anyone’s wall — even if they weren’t that person’s friend. To prove his point he highlighted the bug on Mark Zuckerberg’s wall after his repeated attempts to make the Facebook security team aware of the bug failed. Though the bug was resolved, he was not paid since the White Hat rules state that one cannot demonstrate bugs using the accounts of real people without their permission.
Arul’s bug has been resolved and he should be one happy guy since this is the second time in 2013 that he is going to receive bounty from Facebook. Earlier Facebook had approved his 3 Open Redirectors which are eligible to get bounty of $1500.
Arul joins the prestigious list of 329 security researchers in 51 countries whom Facebook has paid over $1 billion in bounty since 2011. However, Arul stands out in the list since the amount that has been paid to Arul is 25X the base bounty which is generally minimum $500 for a bug. The severity of the bug and the simplicity in reproducing the bug has earned Arul a big reward. Congrats!
Image Courtesy: Philly.com