A bug which allowed any Facebook user to delete photos from any other user’s page without their knowledge has earned its discoverer $12,500 under Facebook’s “bug bounty” program – more than 10 times the average payout.
The bug relies on a weakness in Facebook’s “reporting” system – where Facebook provides users with a URL for “reported” photos, so they could send a “takedown” request to other users for pictures which included inappropriate content. By changing numbers in the URL, Kumar was able to create a “one-click delete” button for any photo on the site.
Kumar posted a bug report but Facebook’s team were unable to reproduce its results, so Kumar reposted the bug in the form of a demonstration video. The bug worked from any account, regardless of whether the photo had ever been reported to Facebook’s teams.
“OK, found the bug, fixing the bug,” said one of Facebook’s security team. “Want to say your video was very good and helpful. I wish all bug reports had such a video.”
Kumar then received an email from Facebook’s security team announcing that his discovery of the critical bug earned him $12,500. Kumar said that he had already received $1,500 from the program for reporting other bugs.
Crucially, his video demonstration stopped short of deleting photos on Zuckerberg’s actual Facebook page, as reported by TechCrunch. Last month, Khalil Shreateh did not receive a payout for reporting a bug which allowed any user to post to any other user’s wall, after he demonstrated the exploit to Facebook in a direct way – he used the bug to post directly to Mark Zuckerberg’s Facebook wall.
Facebook responded by issuing a statement saying he would not be paid, for violating the site’s privacy guidelines.
Author Rob Waugh, We Live Security