Flaw in Facebook earns reward of $12,500
Posted by: Timothy Weaver on 09/03/2013 11:18 AM
[
Comments
]
Arul Kumar, an Indian security researcher, has netted himself $12,500 for finding a critical hole in Facebook that allows anyone to delete pictures from the site.
What Kumar found was that some of the parameters in the URL can be altered. By redirecting takedown requests, any posted or shared photo could be deleted, all without any notification to the victim.
Kumar contacted Facebook's security team with details about the flaw. A team member said that he had "messed around with this for the last 40 minutes" and the issue wasn't serious enough to fix.
Kumar then sent the team a video showing exactly how the hack could be used to delete the photos. Essentially showing how to delete photo's of Zuckerberg.
"OK, found the bug, fixing the bug. The fix should be live sometime early tomorrow," emailed security team member Emrakul. "I will let you know when it is live so you can retest. Wanted to say your video was very good and helpful, wish all bug reports had such a video
".
Facebook is paying out in this case, as Kumar didn't actually crack anyone's account, and the Indian researcher got $12,500 for the flaw, along with $1,500 for other bugs. It seems showing vulnerabilities in Facebook's Supreme Leader is the way to go if you want to get the security team's attention.
What Kumar found was that some of the parameters in the URL can be altered. By redirecting takedown requests, any posted or shared photo could be deleted, all without any notification to the victim.
Kumar contacted Facebook's security team with details about the flaw. A team member said that he had "messed around with this for the last 40 minutes" and the issue wasn't serious enough to fix.
Kumar then sent the team a video showing exactly how the hack could be used to delete the photos. Essentially showing how to delete photo's of Zuckerberg.
"OK, found the bug, fixing the bug. The fix should be live sometime early tomorrow," emailed security team member Emrakul. "I will let you know when it is live so you can retest. Wanted to say your video was very good and helpful, wish all bug reports had such a video
".Facebook is paying out in this case, as Kumar didn't actually crack anyone's account, and the Indian researcher got $12,500 for the flaw, along with $1,500 for other bugs. It seems showing vulnerabilities in Facebook's Supreme Leader is the way to go if you want to get the security team's attention.
Comments
