A researcher has claimed to have been paid $12,000 for fixing a bug in Facebook that could have let a hacker delete photos of users without having access to their accounts.
Arul Kumar, a 21-year-old researcher from India, said he was able to exploit the mobile version of the Support Dashboard that lets users check on reports they have lodged with the social network.
When a user decides to ask Facebook to have another user’s photo removed, the site provides the option of letting them sort the problem out between them, delivering a removal link containing two parameters that Kumar discovered he could tamper with – namely the ‘photo_id’ and ‘Owners Profile_id’.
By changing those two parameters he could pick any photo he wanted for deletion, without the owner of the photo knowing.
Having initially spoken with Facebook about the problem only to be told the flaw was not exploitable, he proved it could in a video.
The bug should has now been fixed, Facebook confirmed to TechWeekEurope, and the bounty paid.
At least this time it hasn’t received a tongue lashing from the security community. When a researcher revealed a flaw that allowed anyone to post on any timeline, he was not rewarded with a bug bounty. That led to a community effort to raise one for him.
What do you know about Internet security? Find out with our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
