Bug allowed hackers to delete any Facebook photos they wanted/p>
Arul Kumar, a 21-year-old researcher from India, said he was able to exploit the mobile version of the Support Dashboard that lets users check on reports they have lodged with the social network.
When a user decides to ask Facebook to have another user’s photo removed, the site provides the option of letting them sort the problem out between them, delivering a removal link containing two parameters that Kumar discovered he could tamper with – namely the ‘photo_id’ and ‘Owners Profile_id’.
By changing those two parameters he could pick any photo he wanted for deletion, without the owner of the photo knowing.
Having initially spoken with Facebook about the problem only to be told the flaw was not exploitable, he proved it could in a video.
The bug should has now been fixed, Facebook confirmed to TechWeekEurope, and the bounty paid.
At least this time it hasn’t received a tongue lashing from the security community. When a researcher revealed a flaw that allowed anyone to post on any timeline, he was not rewarded with a bug bounty. That led to a community effort to raise one for him.
What do you know about Internet security? Find out with our quiz!