Facebook Photo Bug Earns Security Researcher $12,500

By

The practice of finding bugs for bounty is somewhat common, especially when it comes to major sites like Facebook. Now, Facebook has once again shelled out a bounty, and in a big way, for an Indian engineer who discovered how to delete a photo from a Facebook account… including those not specifically belonging to the person exploiting the bug.

Arul Kumar, the engineer in question, began by explaining the bug to Facebook using standard forms, but Facebook denied that the bug was actually a bug in the first place. Kumar later came back with a complete proof of concept video which showed how the bug worked, and that was all Facebook staffers needed to declare the bug a true bug and issue the bounty.

Exploiting the bug would allow Kumar, or anyone else who knew how the bug worked, to remove a photo from anyone's account without the account holder's permission or even notification. Essentially, the bug worked by having a user go to the Support Dashboard, generally via mobile device, and send a request to remove a photo from a profile. From there, Kumar would manually alter the Photo_id and Owners Profile_id features such that the photo removal link was sent to a second Facebook account—the “receiver” account, allowing him to operate as the owner of said photo and remove it. It would allow users to basically pose as a Facebook page owner and remove photos using Facebook's own Photo Removal Request system.

It's worth noting that Facebook really only took action on this bug after receiving Kumar's video proof, and this illustrates one important concept: the value of video in terms of education. Indeed, checking out Kumar's website, which features the correspondence from Facebook, makes it quite clear. The first response from Facebook shows that one Facebook engineer spent almost 40 minutes trying to replicate the bug Kumar reported, and with minimal result. But after Kumar sent the video, and that same Facebook engineer came back with not only a report that the bug had been found, was being fixed, and that the fix should go live sometime the next day. The engineer in question also applauded Kumar's use of video and said that the video was “very good and helpful,” elaborating that “I wish all bug reports had such a video.” Perhaps if Khalil Shreateh—the Palestinian programmer who found the bug allowing users to post on any user's timeline—had put together a proof of concept video, it may have ended up better than it did for him.

Finding bugs on Facebook, or anywhere else, is an important part of the process that gives us all access to powerful, easy to use tools that allow us to communicate, work, or play. But when those bugs can't be effectively communicated, problems that could have been fixed fairly easily can go on and wreak havoc. The value of video in presenting such matters can't be underestimated, and for Arul Kumar, the value of video is at least $12,500 that he wouldn't have had without the video.




Edited by Alisen Downey
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Contributing TechZone360 Writer

SHARE THIS ARTICLE
Related Articles

Introducing the Newest Addition to ITEXPO #TECHSUPERSHOW: Enterprise Cybersecurity Expo

By: TMCnet News    6/11/2024

TMC today announced the launch of Enterprise Cybersecurity Expo, set to take place from February 11-13, 2025, in Fort Lauderdale, Florida, at the Brow…

Read More

The Shifting Landscape: Emergent Technological Paradigms in Online Sports Wagering

By: Contributing Writer    6/7/2024

In the ever-evolving sphere of online sports wagering, technological advancements have been instrumental in reshaping the landscape, altering how enth…

Read More

Unpacking The Differences: How CPaaS And Network APIs Drive Distinct Innovations

By: Special Guest    6/5/2024

While they share some technical synergies, CPaaS and Network APIs serve different markets and purposes, highlighting the need for complementary strate…

Read More

Protecting Your Digital Fortress Through Threat Exposure Management

By: Contributing Writer    5/23/2024

In today's digital landscape, cybersecurity threats loom large, posing significant risks to businesses, organizations, and individuals alike. With the…

Read More

Why Block Websites? Understanding the Reasons

By: Contributing Writer    5/6/2024

The internet is such an expansive network where every click can lead to information, entertainment, or opportunities for productivity. However, this a…

Read More