It will reward the Indian engineer $12,500 in bounty for exposing the vulnerability
Facebook has fixed a bug that allowed hackers to delete any image stored on the social networking website without the user’s knowledge.
Discovered by an Indian electronics and communications engineer, Arul Kumar, the bug can exploit the mobile version of Facebook’s support dashboard.
He will receive payment of $12,500 for discovering the error.
The vulnerability enabled attackers to exploit the support dashboard, which can be used by users to see the progress of their reports – such as photo removal requests – to Facebook.
When such a report is received and Facebook does not remove the photo, the user has the option to message the image uploader directly with a request to remove it.
Doing so generates a photo removal link sent to the photo owner. By changing parameters within this message, Kumar then sent a photo removal request to an account he controlled.
Having changed the parameters, Kumar could then choose to delete any image from any user on the network.
The exploit could also be used to delete photos from any verified user, pages or groups in addition to statuses, photo albums, suggested posts and also comments.
Facebook said in response to Kumar’s proof of concept (POC): "After reviewing the bug details you have provided, our security team has determined that you are eligible to receive a bounty payout of $12,500."
A Palestinian security researcher Khalil Shreateh recently discovered a bug and posted it on Mark Zuckerberg’s Facebook timeline after the social network’s security team rejected reports about the critical vulnerability.