A security flaw that allowed a hacker to delete photos from anyone on Facebook has been closed, according to the engineer who reported the loophole to the social network.
Indian engineer Arul Kumar, 21, explained on his blog that he was able to exploit a flaw on the Facebook Support Dashboard that is used to send requests to remove unwanted photos by redirecting the removal request note.
Kumar says he was able to alter the URL string of a photo removal request, so that it was be directed at a second account that he was in control of. At the end of the URL, a photo ID and profile ID number are exposed. He altered the numbers from that of his target to one of his accounts. When the notification was sent to his inbox, he was able to successfully delete the photo.
In his blog, Kumar writes:
Kumar also posted the email exchange with Facebook's security team, including the message that notified him of the $12,500 reward for his findings. Facebook says the bug has been fixed.
Facebook's white hat program rewards hackers for reporting security flaws they find in the social network. The minimum reward is $500, and there is no maximum cap on how much a hacker can get paid.