From: TechCrunch

Greg Kumparak

In a nice example of how Facebook’s bounty program should work (in contrast with that mess a few weeks ago), a security researcher has unearthed a bug that would let anyone delete just about any photo from Facebook — whether the photo was yours, mine, or Zuckerberg’s — and was paid a solid chunk of cash for the discovery.

According to the terms of Facebook’s white hat program, those who find bugs and follow Facebook’s rules in reporting them are paid a bounty. The minimum bounty for any bug is set at $500, with Facebook paying more based on the bug’s severity. Most payouts I’ve heard of tend to be around $1,500. In his write up of this bug, security researcher Arul Kumar says he was paid $12,500 — roughly 25x the base bounty.

Why so much? It’s likely because this bug was really, really simple to reproduce. Seemingly a matter of changing a few parameters in a URL, it would have been trivial to create a tool that allowed a malicious user to delete other user’s photos en masse.

The bug, says Arul, relied on a weakness in Facebook’s support dashboard, which allows a user to see the status of reports they’ve sent for review (for reporting things like inappropriate profiles or photos, or spam.)

If a user reported a photo and Facebook decided not to forcibly delete it, that user would get a link that let them send a quick takedown request whoever had uploaded the image, complete with a one-click delete button. This link, it seems, was the weakness.

By changing a pair of numbers in the link’s URL, Arul says he could take down any photo, from any user — regardless of who that photo actually belonged to, and whether or not that photo had ever actually been reported. He could send a takedown request for a photo on some celebrity’s account, for example, to his own secondary profile. The target account wouldn’t see a thing until their photo was already gone.

Read Complete Article