An Indian security researcher has discovered a security flaw in Facebook which allowed hackers to delete any image stored on the world’s largest social network. The flaw exploits Facebook Support Dashboard, it is deemed to be critical and is said to work with any version of any web browser. According to Arul Kumar, who discovered the flaw, it was most successfully exploited by hackers through mobile devices. Facebook has awarded a $12,500 bounty to Arul for the responsible disclosure of this security flaw.
Facebook Support Dashboard is used to send photo removal requests. The requests can either be reviewed by Facebook employees or they can be sent directly to someone who has uploaded the image. If the request is approved, a link to generated, if the photo owner clicks that link the photo is deleted. Two parameters Photo_id and Owners Profile_id are vulnerable if such a request is sent. A hacker can modify them to receive a link to remove any photo without the owner ever knowing or interacting with said link. Arul says that the flaw can be used to remove photos from users, pages as well as shared and tagged images and photos from pages, suggested posts and pages. Not to worry though, Facebook has plugged it.