How would you react if someone delete any of your photo from your facebook stream all of a sudden and you nothing to do with it and even Facebook hasn't intimated you for this, well this was the critical bug until 30 August, 2013.
A 21 years old Indian electronics and communications engineer - Arul Kumar from Tamil Nadu state won USD $12,500 as per Facebook white-hat program where anyone reporting security flaws, bugs to Facebook Security team can get awards/ prize money where minimum award is $500 USD and maximum depends on its severity and creativity.Arul kumar is Security Enthusiast and practice in ethical hacking and got facebook bounty twice in year 2013.
Arul Kumar share one critical bug in facebook with its security team under white-hat program, under this facebook bug one can, as per instruction ca delete any photo from facebook without user interaction. At first, Facebook security team could not able to recognize this bug.
Kumar then explained his bug by using a demo account, as well as sending Facebook a proof of concept video in which he showed how he could have removed Mark Zuckerberg's own photos from his album and this time, Emrakul from Facebook's security team was able to see the vulnerability and fixed within a day time.
The vulnerability that Arul discovered was based around exploiting the mobile version of the Facebook's Support Dashboard, a portal that allows users to track the progress of any reports they make to the site, including highlighting photos that they believe should be removed.
In Support Dashboard, if any reported photo was not removed by facebook team, user has the other option to send 'Photo Removal Request' to owner via messages. If users sends a claim message,Facebook Server will automatically generate photo removal link and it will send to the owner. If owner clicks that link - Photo will be removed.
This flaw exists while sending message and a hacker can can manually modify Photo_id & Owners Profile_id so that anu hacker can receive any photo removal link to his/her inbox.It would be done without any user's interaction. Moreover Facebook will not notify owner if his photo was removed. Facebook has rewarded Arul Kumar 12,500$(US Dollars) for finding this critical bug.
Under Facebook's special security program anyone who find any security loophole can report facebook for fix and who knows he/she might get awarded for same. Facebook runs this White Hat program to collaborate with external security researchers and help Facebook to ensure that highest security standards are being maintained for users.
Demo Video that describe the security vulnerability
Advertisements