Engineer Arul Kumar, 21, recently collected a $12,500 payday from Facebook. Kumar discovered a Facebook photo security flaw that allowed him to delete photos from any users account.
Kumar exploited the flaw via the Facebook Support Dashboard which is used to send requests to remove unwanted photos by redirecting the removal request note.
By altering the URL string of a photo and turning it into a removal request Kumar was able to trick the system into sending the request to a second account that he controlled.
Each photo contains a photo ID and profile ID number at the end of the URL. After changing the profile numbers to that of his own account Facebook sent the notification to his inbox where he was able to control the deletion request.
Here’s what the budding engineer wrote on his blog:
Facebook immediately fixed the bug and gave Kumar his $12,500 bonus.
Facebook’s white hat program rewards hackers for reporting security flaws. Facebook pays a minimum of $500 if they deem the threat real and there is no maximum cap that can be paid.
Are you worried about the state of Facebook account security?