A researcher has claimed to have been paid $12,000 for fixing a bug in Facebook that could have let a hacker delete photos of users without having access to their accounts.
Arul Kumar, a 21-year-old researcher from India, said he was able to exploit the mobile version of the Support Dashboard that lets users check on reports they have lodged with the social network.
When a user decides to ask Facebook to have another user’s photo removed, the site provides the option of letting them sort the problem out between them, delivering a removal link containing two parameters that Kumar discovered he could tamper with – namely the ‘photo_id’ and ‘Owners Profile_id’.
By changing those two parameters he could pick any photo he wanted for deletion, without the owner of the photo knowing.
Having initially spoken with Facebook about the problem only to be told the flaw was not exploitable, he proved it could in a video.
The bug should has now been fixed, Facebook confirmed to TechWeekEurope, and the bounty paid.
At least this time it hasn’t received a tongue lashing from the security community. When a researcher revealed a flaw that allowed anyone to post on any timeline, he was not rewarded with a bug bounty. That led to a community effort to raise one for him.
What do you know about Internet security? Find out with our quiz!
Thoma Bravo agrees to acquire Darktrace for $5.32 billion in cash, delivering some welcome news…
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…
