Tuesday, 3 September 2013

Facebook shells out $12,500 for photo deleting security bug find

Image of Facebook logo and login screen
Facebook has paid a bug hunter $12,500 for spotting a flaw in its software that could theoretically be exploited to delete users photos without their consent.
The bug was found by 21-year-old Indian engineer and self-professed security enthusiast Arul Kumar, who reported receiving the payment in his blog. "I would like to share one of Critical Bug in Facebook which leads to delete any photo from facebook without user interaction," he wrote.
"[The] Facebook team has recognised my bug after sending video POC. Interesting part is, In that video I have exploited Mark Zuckerberg's photo from his photo album and I did not remove his photo. Now it has been fixed fully and Facebook has rewarded me $12,500 for finding this Critical Bug."
At the time of publishing Facebook had not responded to V3's request for confirmation of Kumar's blog post. Kumar explained the flaw was in the mobile version of Facebook's support dashboard and prior to the new fix was remotely exploitable.
"The support dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your support dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week," he wrote.
"Mainly this flaw exists on mobile domain in [the] support dashboard. If any reported photo was not removed by Facebook team, [the] user has the other option to send Photo Removal Request to owner via messages.If users sends a claim message, Facebook server will automatically generate photo removal link and it will send to the owner. If [the] owner clicks that link, [the] photo will be removed."
Kumar claims Facebook initially ignored his bug report with a research replying: "Yeah I messed around with this for the last 40 minutes but cannot delete any victims photos."
The Indian engineer is one of many researchers whose initial reports have been disregarded. Prior to it independent researcher Khalil Shreateh received a similar message after attempting to disclose a bug allowing users to post on other people's public Facebook pages even if they are not friends.
However, unlike Kumar, who responded by sending a video offering a more detailed guide about how to exploit the bug, thus earning his bounty, Shreateh controversially exploited the flaw he'd discovered to post a message on Facebook founder Mark Zuckerberg's wall. The move led Facebook to refuse to pay Shreateh for the bounty as he had broken its responsible disclosure policy.

No comments:

Post a Comment