Arul Kumar, an Indian security enthusiast recently reported an interesting vulnerability on Facebook that allowed him to hack Facebook and erase any image from the social network in a single minute and without the owner's knowledge.
Unlike the Palestinian hacker Khalil Shreateh, Arul Kumar did receive a reward, $ 12.500, from Facebook for the discovery and communication of a security breach on the site.
The flaw is very dangerous because using the exploitation method can also delete photos from the album of mark Zuckerberg, the founder of Facebook, or even photos from a verified page.
How the attack is carried out ?
Normally, if a flagged photo is not deleted by Facebook, the user can send a deletion request to the owner via an automatically generated link addressed to him. If the owner of the photo clicks this link, the photo is legally deleted.
Arul Kumar explains on his blog that the flaw lies in the manual modification of two parameters in the URL link (Photo_id and Owners Profile_id). The attacker can thus receive a deletion link for a photo without the rightful owner knowing.
Here is the URL of the vulnerability and its parameters:
The flaw in the photos has since been corrected by the team facebook security, and Kumar therefore rewarded.