Indian researcher Arul Kumar has been rewarded for his work

Sep 2, 2013 09:41 GMT  ·  By

Facebook has recently addressed a security hole that could have been leveraged by hackers to delete any photo from the social media website.

The vulnerability has been identified by Indian security researcher Arul Kumar.

The expert found that he could leverage a security hole in the mobile version of the Support Dashboard to remove any photos. The attack didn't require any user interaction and the victim wasn't notified about the picture’s removal.

The attack relied on two Facebook accounts owned by the attacker.

The first account would send a photo removal request to Facebook. However, since the photo didn't violate any rules, the owner of the photo was notified and asked to remove the photo themselves.

However, the expert noticed that he could alter the removal request URL and add the photo_id and profile_id of any user.

So, the first hacker account is used to send a photo removal request for an image on the second hacker account. However, the removal link received by the second account doesn’t contain the photo_id and profile_id of that image, but one on an arbitrary account.

A very simple, yet effective hack.

Initially, Facebook engineers didn’t manage to reproduce the issue. However, after the expert sent them a proof-of-concept video to demonstrate the existence of the bug, they fixed it within a day. The researcher has been rewarded with $12,500 (€9,500) for his work.

Similar to Palestinian researcher Khalil Shreateh, Arul Kumar also demonstrated his findings on Mark Zuckerberg’s account. However, he didn’t actually remove the photo so he wasn’t disqualified from the bug bounty program.

Check out the proof-of-concept video published by Arul Kumar. Additional technical details regarding the vulnerability are available on the researcher’s blog.