Engineer From India Receives $12,500 For Finding A Critical Bug On Facebook

An engineering student from India, Arul Kumar, has found a critical vulnerability on Facebook that let any user delete photos from anyone's account without the owner's consent or knowledge.The social networking site was recently in news for having exposed a major bug about posting on any user's timeline. Researcher Khalil Shreateh posted about Facebook security problem directly to Mark Zuckerberg's public Facebook wall. This time, Arul Kumar, a student of the electronics and communications department, is a 21-year old from Tamil Nadu knew about the WhiteHat Bug Reporting Program going on in Facebook. By reporting this important bug he has won $12,500 bounty and a lot of appreciation from the tech community.

He found out that the mobile version of Facebook's Support Dashboard, which allows users to flag and report a picture for removal, could be exploited to remove any photograph posted by any Facebook user. When a user sends a photo removal request through the Support Dashboard, usually Facebook takes a look and decides if it should be removed or not. If Facebook decides not to remove it, then the user has the option of sending a message to the user who has posted the picture with a request to remove the same picture. The request also contains a link, clicking on which leads to the removal of the photo.

"I can manually modify Photo_id & Owners Profile_id so that I can able to receive any photo removal link to my inbox," said Kumar. "It would be done without any user's Interaction. And also Facebook will not notify owner if his photo was removed." As per Kumar, the same exploit could have been used for removing photos posted by even verified users, fan pages and groups and from status updates, photo albums, suggested posts and comments.


"I messed around with this for the last 40 minutes but cannot delete any victim's photo. All I can do is if the victim clicks the link and chooses to remove the photo it will be removed, which is not a security (vulnerability) obviously," a member of Facebook security team wrote in an email. Following this, Arul Kumar sent Facebook a proof of concept video demonstrating the bug through a dummy account. He also demonstrated the bug using the profile id of Facebook founder Mark Zuckerberg and a photo hosted by him. Faceook identified the problem and has rewarded him handsomely.

"Earlier this year, I heard about the Facebook bug bounty programme through which the company rewards people find who flaws on the website. Then I came to know about some Indian hackers who hunt for bugs and are rewarded," Arul told TOI from Chennai, where he is looking for a job. "I started looking for bugs and learned programming and networking through tutorials on the web. The bug that I found on Facebook doesn't require some technical wizardry. I found it because I keep an open eye when I use web services."

We congratulate Arul on his achievement and invite him to share his security research insights here on CrazyEngineers if he is reading this. Let us know what are your opinions about Facebook vulnerabilities.

Source: #-Link-Snipped-#


  • Sanyam Khurana
    Sanyam Khurana
    Good to know, that Engineers from India too are winning the bounty.

    Congrats, Arul for the good work.

    But I am disappointed that Facebook took Khalil's reports for granted, and then only in pressure, he posted that stuff on Mark Zuckerberg's wall, even he said sorry for that, but then also, facebook didn't offer him any bounty.. :sad:
  • Pradip007
    Congrats, Arul for the finding solution on facebook bugs ...................
  • Shah Sharath
    Shah Sharath

You are reading an archived discussion.

Related Posts

Hi CEans, I am out here with a big question that whether there is any recovery software or app available for mobile phones( smart phones) in the market.You may include...
Duke University researchers come up with a new plastic that actually becomes stronger when stressed. Cell phone body may be a good application for this.
Ho CEans,I have a long doubt on this question.My friends introduced me about the IMDB-International movie database.Its quite awesome website having all the features and details of all the films...
Facebook is slipping a lot on Twittery grounds! The social network recently launched the #hash-tag feature, which formed the heart of Twitter, and now it's planning to pluck a major...
I've been recently told that there are no walk-ins organized by the companies. Most of the recruitment happens through campus. Gone are the days when companies like TCS, Cognizant, Wipro,...