Computer vulnerability researcher found a bug that allows you to delete someone else's photo from Facebook

A good example of how Facebook rewards program should work (as opposed to the confusion that was a few weeks ago): a security researcher discovered an error that allows anyone to delete almost any Facebook photo - be it your personal photo, mine or Zuckerberg . For this discovery, he received a very generous monetary reward.

Under the terms of the rewards program, those who find mistakes and publish them according to the rules are rewarded. The minimum payout for any mistake is $ 500. However, Facebook can pay more, depending on the criticality of the found vulnerability. Most payouts are usually $ 1500. In his blog, security researcher Arul Kumar writes that he received $ 12,500 bonus - about 25 basic payments.

Most likely the reason for such generosity is the very, very simple reproducibility of the found vulnerability. Changing several parameters in a URL is a trivial task that allows you to create a tool with which an attacker could massively delete photos of other users.
')
According to Arula, the root of the vulnerability is the blocking page, which allows the user to see the status of requests sent for review (for example, fake profiles or photos, spam, etc.).

If the user complained about the photo and the service staff agreed with the violation, the user receives a link by clicking on which he can delete the photo. Apparently, this link was the cause of the vulnerability.

Arul says that by capturing the photo ID and page ID of a user and changing several digits in them, he can delete snapshots of any user. And it is completely unimportant to whom the deleted images belong, and whether a complaint has ever been sent to them. Thus, you can send a request to delete photos of a celebrity to one of your accounts. In this case, the celebrity herself will not notice anything until the photos are deleted.

Arul posted a video that demonstrates how the vulnerability works:


Oddly enough, Arul demonstrates his vulnerability on the Mark Zuckerberg profile - it was because of this that a few weeks ago, security specialist Halil Shratech lost his reward (because Facebook forbids testing vulnerabilities on real accounts). However, in fact, Arul did not touch Mark’s profile, while Khalil posted a message about the vulnerability right on the wall of Zuckerberg. Aroul only used Mark's photo to demonstrate the error, but did not click the delete button.

At the moment, both Facebook security vulnerabilities have already been fixed.