05914530-photo-logo-facebook

Facebook Bug ‘Allowed Anyone’s Photos To Be Deleted’

Bug allowed hackers to delete any Facebook photos they wanted/p>

On by Thomas Brewster 0

A researcher has claimed to have been paid $12,000 for fixing a bug in Facebook that could have let a hacker delete photos of users without having access to their accounts.

Arul Kumar, a 21-year-old researcher from India, said he was able to exploit the mobile version of the Support Dashboard that lets users check on reports they have lodged with the social network.

zuckerberg facebook © Kobby Dagan ShutterstockFacebook flaw

When a user decides to ask Facebook to have another user’s photo removed, the site provides the option of letting them sort the problem out between them, delivering a  removal link containing two parameters that Kumar discovered he could tamper with – namely the ‘photo_id’ and ‘Owners Profile_id’.

By changing those two parameters he could pick any photo he wanted for deletion, without the owner of the photo knowing.

Having initially spoken with Facebook about the problem only to be told the flaw was not exploitable, he proved it could in a video.

The bug should has now been fixed, Facebook confirmed to TechWeekEurope, and the bounty paid.

At least this time it hasn’t received a tongue lashing from the security community. When a researcher revealed a flaw that allowed anyone to post on any timeline, he was not rewarded with a bug bounty. That led to a community effort to raise one for him.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster
Author: Thomas Brewster
Security Correspondent, TechWeekEurope
Thomas Brewster Thomas Brewster Thomas Brewster

White Papers

Techweekeurope for mobile devices
Android-App Google Currents App for iOS

Last comment




0 replies to Facebook Bug ‘Allowed Anyone’s Photos To Be Deleted’

Leave a Reply

  • Required fields are marked *,
    Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>