Saturday 7 September 2013

Vulnerability allowed hacker to Delete any Facebook Photo; Rewarded with $12,500 for reporting bug

Indian Security Enthusiast 'Arul Kumar' recently reported an interesting Facebook vulnerability that allowed him to delete any Facebook image within a minute.


Facebook Bug Bounty program rewarded him with  $12,500 USD for helping the Facebook Security team to patch this critical loophole in their own "Support Dashboard".
The flaw is critical because using this exploitation method hacker can also delete Mark Zuckerberg's (Facebook Founder) Photos from his Photo Album, or even from wall of any verified page too.

Arul posted on his blog, "The Support Dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week."

That means, if you will report abuse the targeted image and send a Photo Removal Request, Facebook Server Will automatically generates Photo removal Link and send to the Owner. If the Owner of that image clicks that link, Photo will be removed.


Hacker explained that two parameters i.e. Photo_id & Owners Profile_id are vulnerable and if hacker will change modifies the values of these parameters using Inspect Element feature of Google Chrome, then the hacker is able to receive that photo removal link to his own Inbox of another account, rather than sending to the owner's Inbox.

Video demonstration:
This way trick involves just two attackers Facebook account, no victim's interaction and hackers were able to delete any Shared-Tagged photos, Photo from Status & Photo album, Pages, Groups and also from Comments.

Recently Khalil, a Palestinian white hat hacker, Hacked into Zuck's Wall After Facebook Ignored His Bug Report.

No comments:

Post a Comment