Facebook rewards hacker for reporting photo security flaw

The "Facebook" logo is seen on a tablet screen on December 4, 2012 in Paris. AFP PHOTO / LIONEL BONAVENTURE (Photo credit should read LIONEL BONAVENTURE/AFP/Getty Images) LIONEL BONAVENTURE/AFP/Getty Images

A security flaw that allowed a hacker to delete photos from anyone on Facebook has been closed, according to the engineer who reported the loophole to the social network.

Indian engineer Arul Kumar, 21, explained on his blog that he was able to exploit a flaw on the Facebook Support Dashboard that is used to send requests to remove unwanted photos by redirecting the removal request note.

Kumar says he was able to alter the URL string of a photo removal request, so that it was be directed at a second account that he was in control of. At the end of the URL, a photo ID and profile ID number are exposed. He altered the numbers from that of his target to one of his accounts. When the notification was sent to his inbox, he was able to successfully delete the photo.

In his blog, Kumar writes:

Arul Kumar

Kumar also posted the email exchange with Facebook's security team, including the message that notified him of the $12,500 reward for his findings. Facebook says the bug has been fixed.

Facebook's white hat program rewards hackers for reporting security flaws they find in the social network. The minimum reward is $500, and there is no maximum cap on how much a hacker can get paid.

Comments

CBSN Live

pop-out
Live Video

Watch CBSN Live

Watch CBS News anytime, anywhere with the new 24/7 digital news network. Stream CBSN live or on demand for FREE on your TV, computer, tablet, or smartphone.