Feeds

Researcher bags $12,500 after showing how to hack Zuck's pics

Critical flaw once again dismissed by security team

Using blade systems to cut costs and sharpen efficiencies

Indian security researcher Arul Kumar has netted himself $12,500 after spotting a critical flaw in Facebook's image handling code that allowed anyone to delete pictures from the site at will.

As he describes in a blog post, the crack requires two legitimate Facebook accounts to work, and is exploited by the way the Facebook Support Dashboard handles requests for photo deletion. If a user wants a photo taken down then can opt to mail the request directly, and doing so generates a URL for the image.

Kumar found that some of the parameters in the URL can be altered; specifically the "Photo_id" value identifying the image and the "Profile_id" that identifies the recipient of the takedown request. A Photo_id is easy to find, since it has a "fbid" identifier assigned by Facebook based on its URL, and Photo_ids can be discovered using Facebook's Graph tool.

By redirecting takedown requests between the two accounts, manned by Kumar and an unidentified "Hindusthanii hacker," any posted or shared photo could be deleted, along with pictures on Facebook Pages or Groups, and advertisers' Suggested Post images – all without any notification to the victim.

As behooves his white-hat status, Kumar contacted Facebook's security team with details about the flaw. However, it gave him the cold shoulder. A team member said that he had "messed around with this for the last 40 minutes" and the issue wasn't serious enough to fix.

Kumar then sent the team a video showing exactly how the hack could be used to delete the photos of Facebook's glorious leader without anyone knowing. Kumar said that he didn't delete any images, but proved it could be done, and after seeing the behoodied one pwned, the security team were much more amenable.

"OK, found the bug, fixing the bug. The fix should be live some time early tomorrow," emailed security team member Emrakul. "I will let you know when it is live so you can retest. Wanted to say your video was very good and helpful, wish all bug reports had such a video :)".

It does seem that if you want to get the Facebook's security team member's attention, a video is the way to go. Last month Palestinian IT student Khalil Shreateh recounted how he'd alerted the team to a critical flaw that could allow images to be posted on anyone's Facebook page. He was rebuffed, and only taken seriously after he sent Facebook a video of him posting an image on Zuckerberg's profile page.

Facebook fixed the flaw, but denied Shreateh any payment of a bug bounty for finding it and booted him off the social network for breaking its terms and conditions. Facebook's chief security officer Joe Sullivan apologized to the student and pledged a revamp of the team's handling of flaw reports, and annoyed security researchers started a contributions campaign for Shreateh which raised $13,125 for his discovery

Facebook is paying out in this case, as Kumar didn't actually crack anyone's account, and the Indian researcher got $12,500 for the flaw, along with $1,500 for other bugs. It seems showing vulnerabilities in Facebook's Supreme Leader is the way to go if you want to get the security team's attention. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.