Facebook Pays Hacker $12,500 For Discovering Photo Security Flaw

Facebook Photo Security Flaw Earns Hacker 12 Thousand 500 Dollars

Engineer Arul Kumar, 21, recently collected a $12,500 payday from Facebook. Kumar discovered a Facebook photo security flaw that allowed him to delete photos from any users account.

Kumar exploited the flaw via the Facebook Support Dashboard which is used to send requests to remove unwanted photos by redirecting the removal request note.

By altering the URL string of a photo and turning it into a removal request Kumar was able to trick the system into sending the request to a second account that he controlled.

Each photo contains a photo ID and profile ID number at the end of the URL. After changing the profile numbers to that of his own account Facebook sent the notification to his inbox where he was able to control the deletion request.

Here’s what the budding engineer wrote on his blog:

Facebook Photo Security Flaw

Facebook immediately fixed the bug and gave Kumar his $12,500 bonus.

Facebook’s white hat program rewards hackers for reporting security flaws. Facebook pays a minimum of $500 if they deem the threat real and there is no maximum cap that can be paid.

Are you worried about the state of Facebook account security?

James Kosur

James Kosur has worked in the new media space for the last 10 years, helping many publications build their audiences to millions of monthly readers. He currently serves as the Director of Business Development at Business2Community.com and the CEO of Aven Enterprises LLC.


Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.