Original URL: http://www.theregister.co.uk/2013/09/03/researcher_bags_12500_after_showing_how_to_hack_zucks_pics/

Researcher bags $12,500 after showing how to hack Zuck's pics

Critical flaw once again dismissed by security team

By Iain Thomson

Posted in Security, 3rd September 2013 18:33 GMT

Indian security researcher Arul Kumar has netted himself $12,500 after spotting a critical flaw in Facebook's image handling code that allowed anyone to delete pictures from the site at will.

As he describes in a blog post, the crack requires two legitimate Facebook accounts to work, and is exploited by the way the Facebook Support Dashboard handles requests for photo deletion. If a user wants a photo taken down then can opt to mail the request directly, and doing so generates a URL for the image.

Kumar found that some of the parameters in the URL can be altered; specifically the "Photo_id" value identifying the image and the "Profile_id" that identifies the recipient of the takedown request. A Photo_id is easy to find, since it has a "fbid" identifier assigned by Facebook based on its URL, and Photo_ids can be discovered using Facebook's Graph tool.

By redirecting takedown requests between the two accounts, manned by Kumar and an unidentified "Hindusthanii hacker," any posted or shared photo could be deleted, along with pictures on Facebook Pages or Groups, and advertisers' Suggested Post images – all without any notification to the victim.

As behooves his white-hat status, Kumar contacted Facebook's security team with details about the flaw. However, it gave him the cold shoulder. A team member said that he had "messed around with this for the last 40 minutes" and the issue wasn't serious enough to fix.

Kumar then sent the team a video showing exactly how the hack could be used to delete the photos of Facebook's glorious leader without anyone knowing. Kumar said that he didn't delete any images, but proved it could be done, and after seeing the behoodied one pwned, the security team were much more amenable.

"OK, found the bug, fixing the bug. The fix should be live some time early tomorrow," emailed security team member Emrakul. "I will let you know when it is live so you can retest. Wanted to say your video was very good and helpful, wish all bug reports had such a video :)".

It does seem that if you want to get the Facebook's security team member's attention, a video is the way to go. Last month Palestinian IT student Khalil Shreateh recounted how he'd alerted the team to a critical flaw that could allow images to be posted on anyone's Facebook page. He was rebuffed, and only taken seriously after he sent Facebook a video of him posting an image on Zuckerberg's profile page.

Facebook fixed the flaw, but denied Shreateh any payment of a bug bounty for finding it and booted him off the social network for breaking its terms and conditions. Facebook's chief security officer Joe Sullivan apologized to the student and pledged a revamp of the team's handling of flaw reports, and annoyed security researchers started a contributions campaign for Shreateh which raised $13,125 for his discovery

Facebook is paying out in this case, as Kumar didn't actually crack anyone's account, and the Indian researcher got $12,500 for the flaw, along with $1,500 for other bugs. It seems showing vulnerabilities in Facebook's Supreme Leader is the way to go if you want to get the security team's attention. ®