 "Indian engineer receives $12,500 in bounty for exposing image-deleting Facebook bug")
A 21-year old Indian Electronics and Communications Engineer has become the recipient of a $12,500 bounty after reporting a Facebook bug that allowed one to delete an image on a page without any interaction from the user.
Researcher Arul Kumar posted a blog about how easy it was to exploit the Facebook Support Dashboard and delete any image from any page, including verified ones. Kumar detailed the bug, deemed critical, and even sent across a video to Facebook’s security team.
How the bug worked
The bug worked with any browser at all and was exploited best through mobile devices. Essentially, two profiles were required to make this bug work, with one profile acting as the receiver and the other as a sender. Photo_id and Owner Profile_id were parameters necessary as well. If one wanted an image deleted, he would need both these parameters. Once tampered with, these would ensure that photos could be removed without the owner even knowing about it.
The unfolding of events, as posted by Kumar, becomes eerily similar to that of Khalil, the Security Expert who broke into Mark Zuckerberg’s profile. Khalil had tried to report a vulnerability to the Facebook Security team but for multiple reasons, the team either dismissed his claim or did not take it seriously. Desperate, Khalil broke into Mark Zuckerberg’s wall to display the bug that allowed anyone to post on any Facebook user’s wall. He wrote a lengthy post about how he was not taken seriously.
Soon, his profile was suspended, the bug fixed, but Khalil did not win any bounties from Facebook since he broke an important rule of never to meddle with a real user’s profile while displaying a bug.
Kumar also faced an initial rejection from the team. He took a cue from recent events and sent in a video detailing this bug further. Interestingly, he even exploited Zuckerberg’s photo but did not delete it. Facebook recognised the bug and decided to award Kumar $12,500. The social network had also approved 3 Open Redirectors by Kumar, making him eligible to a bounty of $1,500 more.
 "Russian drones over Poland: Trump’s tepid reaction a wake-up call for Nato?")
 "As Russia pushes east, Ukraine faces mounting pressure to defend its heartland")
 "Why Mossad was not on board with Israel’s strike on Hamas in Qatar")
 "Turkey: Erdogan's police arrest opposition mayor Hasan Mutlu, dozens officials in corruption probe")
 "Russian drones over Poland: Trump’s tepid reaction a wake-up call for Nato?")
 "As Russia pushes east, Ukraine faces mounting pressure to defend its heartland")
 "Why Mossad was not on board with Israel’s strike on Hamas in Qatar")
 "Turkey: Erdogan's police arrest opposition mayor Hasan Mutlu, dozens officials in corruption probe")
