After the last story we all heard about how Facebook treats those attempting to report bugs, it is nice to see things going better. The latest big Facebook bug has been reported and the good Samaritan rewarded a hefty $12,500. The bug in question allowed a user to trick the support system into deleting photos that did not belong to them.
Facebook Exploit Reported for $12,500
An Indian researcher named Arul Kumar discovered the fatal security flaw. He went into some length on his blog explaining just how the exploit can be taken advantage of. The bug is considered of “critical” importance and works on every version of every browser, including mobile devices which it seems to work exceptionally well on.
You see, whenever someone send a request to have a photo removed a message is sent to be viewed by a Facebook employee. Alternatively the request can be sent directly to the owner of the image, and here in lies the issue. When the message is sent there are certain parameters left unprotected from alteration. It is possible for the message to be intercepted and it’s target user altered so a person can ask for a photo to be removed and have the request sent to another user working with them.
The first thing one needs to perform the trick is the Facebook ID (fbid) of the photograph in question, which can be located in the URL of the image. Once that is known, the request for removal can easily be intercepted and sent to 3rd profile set up as the receiver.
According to Kumar, this trick allows for any user to have any photo removed without the knowledge of the photos owner. As a result of finding out this little exploit he has been rewarded a hefty $12,500.