Arul Kumar, a 21-year-old engineering graduate from Tamil Nadu in southern India, has received a $12,500 (around 8,25,000 rupees) bounty from Facebook (NASDAQ:FB) after he found a critical vulnerability, which would allow anyone to remove photos from a user’s account without his or her consent, on the social network’s mobile phone application.
“I would like to share one of Critical Bug in Facebook, which leads to delete any photo from Facebook without user interaction,” Kumar wrote in a blog post, in which he provided details about the bug he had discovered.
This is the second time that Arul has won Facebook's whitehat award for detecting a bug. Earlier, he had discovered another bug on the social networking platform and has been promised a $1,500 reward.
According to Kumar, the mobile version of Facebook's Support Dashboard, a portal designed to allow users to flag and report any image for removal by the Facebook team, could be used to take down any photograph posted by a Facebook user.
Kumar said that Facebook’s security team reviews every photo removal request through the Support Dashboard platform and decides whether a particular photo should be removed or not. If Facebook does not take down any reported photo, the user has another option to send a photo removal request on his or her own to the user who uploaded the photo. The request contains a photo removal link, clicking on which would permanently remove the photo.
“I can manually modify Photo_id & Owners Profile_id so that I can be able to receive any photo removal link to my inbox,” Kumar wrote. “It would be done without any user’s Interaction. And, also Facebook will not notify owner if his photo was removed.”
According to Kumar, the bug allows the removal of any photo from verified users’ accounts, fan pages, groups, comments, photo albums and even from a users’ status.
After finding the vulnerability, Kumar reported the bug to Facebook. But a security team member from the company responded saying that he could not reproduce the bug.
However, Kumar created a video demonstrating the bug using the profile id of Mark Zuckerberg and a photo hosted by him along with a dummy account, and sent it to Facebook again. This time, the bug was identified by Facebook's security team and Kumar was approved a payment worth $12,500.
"Found the bug ... fixing the bug. Wanted to say your video was very good and helpful. I wish all bug reports had such a video," a Facebook team member wrote back.
“The bug that I found on Facebook doesn't require some technical wizardry. I found it because I keep an open eye when I use web services,” Kumar told The Times of India.