Feeds

Researcher bags $12,500 after showing how to hack Zuck's pics

Critical flaw once again dismissed by security team

Security for virtualized datacentres

Indian security researcher Arul Kumar has netted himself $12,500 after spotting a critical flaw in Facebook's image handling code that allowed anyone to delete pictures from the site at will.

As he describes in a blog post, the crack requires two legitimate Facebook accounts to work, and is exploited by the way the Facebook Support Dashboard handles requests for photo deletion. If a user wants a photo taken down then can opt to mail the request directly, and doing so generates a URL for the image.

Kumar found that some of the parameters in the URL can be altered; specifically the "Photo_id" value identifying the image and the "Profile_id" that identifies the recipient of the takedown request. A Photo_id is easy to find, since it has a "fbid" identifier assigned by Facebook based on its URL, and Photo_ids can be discovered using Facebook's Graph tool.

By redirecting takedown requests between the two accounts, manned by Kumar and an unidentified "Hindusthanii hacker," any posted or shared photo could be deleted, along with pictures on Facebook Pages or Groups, and advertisers' Suggested Post images – all without any notification to the victim.

As behooves his white-hat status, Kumar contacted Facebook's security team with details about the flaw. However, it gave him the cold shoulder. A team member said that he had "messed around with this for the last 40 minutes" and the issue wasn't serious enough to fix.

Kumar then sent the team a video showing exactly how the hack could be used to delete the photos of Facebook's glorious leader without anyone knowing. Kumar said that he didn't delete any images, but proved it could be done, and after seeing the behoodied one pwned, the security team were much more amenable.

"OK, found the bug, fixing the bug. The fix should be live some time early tomorrow," emailed security team member Emrakul. "I will let you know when it is live so you can retest. Wanted to say your video was very good and helpful, wish all bug reports had such a video :)".

It does seem that if you want to get the Facebook's security team member's attention, a video is the way to go. Last month Palestinian IT student Khalil Shreateh recounted how he'd alerted the team to a critical flaw that could allow images to be posted on anyone's Facebook page. He was rebuffed, and only taken seriously after he sent Facebook a video of him posting an image on Zuckerberg's profile page.

Facebook fixed the flaw, but denied Shreateh any payment of a bug bounty for finding it and booted him off the social network for breaking its terms and conditions. Facebook's chief security officer Joe Sullivan apologized to the student and pledged a revamp of the team's handling of flaw reports, and annoyed security researchers started a contributions campaign for Shreateh which raised $13,125 for his discovery

Facebook is paying out in this case, as Kumar didn't actually crack anyone's account, and the Indian researcher got $12,500 for the flaw, along with $1,500 for other bugs. It seems showing vulnerabilities in Facebook's Supreme Leader is the way to go if you want to get the security team's attention. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.