Feeds

Researcher bags $12,500 after showing how to hack Zuck's pics

Critical flaw once again dismissed by security team

Beginner's guide to SSL certificates

Indian security researcher Arul Kumar has netted himself $12,500 after spotting a critical flaw in Facebook's image handling code that allowed anyone to delete pictures from the site at will.

As he describes in a blog post, the crack requires two legitimate Facebook accounts to work, and is exploited by the way the Facebook Support Dashboard handles requests for photo deletion. If a user wants a photo taken down then can opt to mail the request directly, and doing so generates a URL for the image.

Kumar found that some of the parameters in the URL can be altered; specifically the "Photo_id" value identifying the image and the "Profile_id" that identifies the recipient of the takedown request. A Photo_id is easy to find, since it has a "fbid" identifier assigned by Facebook based on its URL, and Photo_ids can be discovered using Facebook's Graph tool.

By redirecting takedown requests between the two accounts, manned by Kumar and an unidentified "Hindusthanii hacker," any posted or shared photo could be deleted, along with pictures on Facebook Pages or Groups, and advertisers' Suggested Post images – all without any notification to the victim.

As behooves his white-hat status, Kumar contacted Facebook's security team with details about the flaw. However, it gave him the cold shoulder. A team member said that he had "messed around with this for the last 40 minutes" and the issue wasn't serious enough to fix.

Kumar then sent the team a video showing exactly how the hack could be used to delete the photos of Facebook's glorious leader without anyone knowing. Kumar said that he didn't delete any images, but proved it could be done, and after seeing the behoodied one pwned, the security team were much more amenable.

"OK, found the bug, fixing the bug. The fix should be live some time early tomorrow," emailed security team member Emrakul. "I will let you know when it is live so you can retest. Wanted to say your video was very good and helpful, wish all bug reports had such a video :)".

It does seem that if you want to get the Facebook's security team member's attention, a video is the way to go. Last month Palestinian IT student Khalil Shreateh recounted how he'd alerted the team to a critical flaw that could allow images to be posted on anyone's Facebook page. He was rebuffed, and only taken seriously after he sent Facebook a video of him posting an image on Zuckerberg's profile page.

Facebook fixed the flaw, but denied Shreateh any payment of a bug bounty for finding it and booted him off the social network for breaking its terms and conditions. Facebook's chief security officer Joe Sullivan apologized to the student and pledged a revamp of the team's handling of flaw reports, and annoyed security researchers started a contributions campaign for Shreateh which raised $13,125 for his discovery

Facebook is paying out in this case, as Kumar didn't actually crack anyone's account, and the Indian researcher got $12,500 for the flaw, along with $1,500 for other bugs. It seems showing vulnerabilities in Facebook's Supreme Leader is the way to go if you want to get the security team's attention. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.