An Indian electronics and communications engineer who describes himself as a “security enthusiast with a passion for ethical hacking” has discovered a Facebook vulnerability that could have allowed for any photo on the site to be deleted without the owner’s knowledge.
Arul Kumar, a 21 year old from Tamil Nadu, discovered that he could delete any Facebook image within a minute, even from verified pages, all without any interaction from the user.
For his efforts in reporting the vulnerability to Facebook’s whitehat bug bounty program Kumar received a reward of $12,500.
The vulnerability that he discovered was based around exploiting the mobile version of the social network’s Support Dashboard, a portal that allows users to track the progress of any reports they make to the site, including highlighting photos that they believe should be removed.
When such a request is submitted, and Facebook does not remove the photo in question, the user has the option of messaging the image owner directly with a photo removal request.
Doing so causes Facebook to generate a photo removal link which is then sent to the recipient of the message (the photo owner). The owner can then opt to click on that link to remove the image.
Kumar discovered that a couple of parameters within this message – ‘photo_id’ and ‘Owners Profile_id’ – could be easily modified.
With this information he then sent a photo removal request for an unrelated image on another account that he controlled. By changing the two parameters in the message received by the second account, Kumar could then choose to delete any image from any user on the network.
The victim of this photo removal technique would not be involved in the process in any way and wouldn’t receive any messages from Facebook – indeed the first they would know of this would be when they logged in to discover their photo(s) had disappeared.
Kumar explained that the exploit could be used to remove photos from any verified user, pages or groups as well as from statuses, photo albums, suggested posts and even comments.
As part of the process of responsible disclosure Kumar forwarded details of the bug to the Facebook security team who, at first, could not delete any photos by following his instructions:
Yeah I messed around with this for the last 40 minutes but cannot delete any victims photos. All I can do is if the victim clicks the links and chooses to remove the the [sic] photo it will be removed which is not a security vuln obviously.
Kumar then explained his bug by using a demo account, as well as sending Facebook a proof of concept video in which he showed how he could have removed Mark Zuckerberg’s own photos from his album.
This time, Emrakul from Facebook’s security team was able to see the vulnerability:
Ok found the bug, fixing the bug. The fix should be live sometime early tomorrow.
I will let you know when it is live so you can retest. Wanted to say your video was very good and helpful, I wish all bug reports had such a video :)
Unlike Khalil Shreateh who, two weeks ago, became frustrated with Facebook’s bug reporting process and hacked Mark Zuckerberg’s own timeline, the way in which Kumar reported this bug shows just how responsible disclosure should work.
By following Facebook’s whitehat guidelines he was able to pick up his deserved bounty.