Arul Kumar, an Indian security enthusiast recently reported an interesting vulnerability on Facebook that allowed him to hack Facebook and delete any image from the social network in just one minute and without the owner's knowledge.
Unlike the Palestinian hacker Khalil Shreateh, Arul Kumar did receive a reward, $ 12.500, from Facebook for the discovery and communication of a security breach on the site.
The flaw is very dangerous because using the exploitation method can also delete photos from the album of Mark Zuckerberg, the founder of Facebook, or even photos from a verified page.
How the attack is carried out ?
Normally, if a reported photo is not deleted by Facebook, the user can send a deletion request to the owner via an automatically generated link addressed to him. If the photo owner clicks on this link, the photo is legally deleted.
Arul Kumar explains on his blog that the flaw lies in the manual modification of two parameters in the URL link ( Photo_id and Owners Profile_id ). The attacker can thus receive a deletion link for a photo without the legitimate owner being aware.
Here is the vulnerability URL and its parameters:
The flaw in the photos has since been corrected by the team facebook security, and Kumar therefore rewarded.
