The latest vulnerability, found by Arul Kumar and awarded a $12,500 bug bounty, allowed any attacker to remove a Facebook image from any other user’s account. It was logic in Facebook’s Support Dashboard rather than a code flaw, and simply involved the attacker setting up two bogus accounts; one to be used to send a removal request, and the other to be used to receive the response from Facebook.
The Support Dashboard is designed to allow users to track the progress of user requests, and is continuously monitored by Facebook staff. Kumar’s vulnerability simply sent the support staff a request to remove a photo. In his example, he sends a request to the Dashboard, amounting to, “Hey, I am sending a Photo Removal Request of Target Photo to you now. Can you remove it now without user interaction?”
The photo in question will not have broken any Facebook rules, so the standard procedure is to send a response to the user providing the instruction to remove the photo. But Kumar had discovered that he could alter the parameters in his request; and by having the deletion instruction sent back to his second account, he could then proceed to delete the photo without the owner knowing anything about it.
Kumar reported this vulnerability to Facebook who, just like the earlier vulnerability found by Khalil Shreateh, did not at first believe there was a problem. But unlike Shreateh, Kumar proceeded to demonstrate the vulnerability with a video proof of concept using demo accounts rather than by using the vulnerability directly on Mark Zuckerberg’s own wall.
Following his POC, Facebook support responded, “Ok, found the bug, fixing the bug. The fix should be live sometime early tomorrow.” Kumar later received a second email saying, “After reviewing the bug details you have provided, our security team has determined that you are eligible to receive a bounty payout of $12,500 USD.”
Compare this with the Shreateh bug – which allowed him to post to the wall of non-friends. Because he did not follow Facebook’s reporting procedures, even though Facebook benefited from the disclosure, he received nothing. But as a final postscript, the security community clearly felt that Shreateh had been treated unfairly. Marc Maiffret set up a fund that privately raised $13,500 to “be sent to Khalil Shreateh to help support future security research.”