A critical bug has been discovered in Facebook that allow any hacker to delete any photos from any account without the owner consent or knowledge. The vulnerability has been discovered recently by an Indian security researcher Arul Kumar. According to Arul, the Facebook security flaw is so critical that the hackers can easily delete any photos from any account and even from the photo’s album of Mark Zuckerberg.
The Facebook vulnerability that he has discovered was based on exploiting the mobile version of the social network’s Facebook Support Dashboard. The Facebook Support Dashboard is used to send Photo Removal requests when others believe it to be removed. This is basically used when one user raises a request at the dashboard to remove the image from Facebook, the server automatically generates photo removal Link and sends it to the other user(Owner). As soon as the owner clicks on the link, the photo is removed from the site.
The researchers discovered that the vulnerability lies in the link, a couple of parameters like “photo_id” and “Owners Profile_id” can be easily modified. Modifying the parameter of the link, one can easily add another Facebook profile id and photo id and could simply delete any photos from any user account on Facebook.
Initially, when Arul submitted the bug, the Facebook engineers didn’t manage to reproduce the issue. However, after Arul sent the demo video of the bug existence, they confirmed it has the bug and took it at high priority. Facebook has been rather quick in fixing the bug and got fixed it within the same day. The researcher Arul Kumar has been awarded with $12,500 as part of its Bug Bounty program, which encourages researchers to report their findings for financial reward.
Source: Arul