Facebook rewards hacker for reporting photo security flaw

A security flaw that allowed a hacker to delete photos from anyone on Facebook has been closed, according to the engineer who reported the loophole to the social network.

Indian engineer Arul Kumar, 21, explained on his blog that he was able to exploit a flaw on the Facebook Support Dashboard that is used to send requests to remove unwanted photos by redirecting the removal request note.

Kumar says he was able to alter the URL string of a photo removal request, so that it was be directed at a second account that he was in control of. At the end of the URL, a photo ID and profile ID number are exposed. He altered the numbers from that of his target to one of his accounts. When the notification was sent to his inbox, he was able to successfully delete the photo.

In his blog, Kumar writes:

Arul Kumar

Kumar also posted the email exchange with Facebook's security team, including the message that notified him of the $12,500 reward for his findings. Facebook says the bug has been fixed.

Facebook's white hat program rewards hackers for reporting security flaws they find in the social network. The minimum reward is $500, and there is no maximum cap on how much a hacker can get paid.

Comments

Watch CBSN Live

Watch CBS News anytime, anywhere with the new 24/7 digital news network. Stream CBSN live or on demand for FREE on your TV, computer, tablet, or smartphone.

Watch Now

New Android App

For your Android phone and tablet, download the FREE redesigned app, featuring CBSN, live 24/7 news.

Download
The all new
CBS News App for Android® for iPad® for iPhone®
Fully redesigned. Featuring CBSN, 24/7 live news. Get the App