Facebook flaw allows hackers to delete any photo

Facebook flaw allows hackers to delete any photo

Summary: A bug bounty hunter has been rewarded with $12,500 after discovering the security flaw which left your photos fair game.

Credit: CNET UK

A security flaw which allowed hackers to delete any image stored on Facebook has been discovered by Indian researcher Arul Kumar -- and he has been rewarded for his efforts.

The Facebook flaw, explained in length on Kumar's blog, exploits the Facebook Support Dashboard. Considered "critical," the bug works with any browser and any version, but was most successfully exploited through mobile devices.

The Facebook Support Dashboard is used to send Photo Removal requests to the firm. Reports are reviewed by Facebook employees, or alternatively reports can be sent directly to the image's owner. A link is then generated to remove the photo -- which if clicked by the owner, removes the offending image.

However, while sending the message, two parameters -- Photo_id & Owners Profile_id -- are vulnerable. If modified, then the hacker could receive any photo removal link within their inbox, without the owner's interaction or knowledge.

Every photo has an "fbid" value, which can be found through a Facebook URL. After the image ID has been secured, then two Facebook user accounts -- where one would act as a "sender" and one as a "receiver" -- can be used to receive a 'remove photo link'.

Owner profile IDs can be found by using Facebook Graph.


The security enthusiast explains how the hack works:

https://m.facebook.com/report/social/?phase=0&next_phase=8&pp={"first_dialog_phase": 8,"support_dashboard_item_id":396746693760717,"next":"\/settings\/support\/details\/?fbid=396746693760717","actions_to_take":"{\"send_message\":\"send_message\"}"}&content_type=2&cid=PHOTO_ID&rid=PROFILE_ID

Look at the URL. You can able to find "cid" & "rid" Parameters at end.These are vulnerable parameters from which we can able to send a Photo Removal Link of any photo to a receivers inbox by modifying value of "photo_id" & "profile_id".


cid= Photo_id (Just include your target photo’s Id value as "cid" input )

rid= Profile_id (You need to include receiver’s Profile ID as "rid" input )

After including those values, press enter. Then If you click the "Continue" Button Facebook will automatically send the photo Removal Link to your Receiver Profile.

Kumar said that any photo can be removed from pages and users, shared & tagged images can be deleted, and photos could be removed from groups, pages and suggested posts without restriction.

As a result, Kumar has been awarded $12,500 through the website's Bug Bounty program, which encourages researchers to report their findings for financial reward, and the bug has been fixed.

Topics: Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What about uploading a photo

    Most of the photos on FB probably should be deleted but if you can delete then you can probably do other things too... Such as uploading a compromising photo ... The possibilities are endless.
    • I agree with your first suggestion

      but I think the second is pure hyperbole.
      Little Old Man
  • If you wouldn't put it on your front door

    for the neighbors to see then it SHOULDN"T be posted on FB.

    Simple rule that the mindless hordes don't understand.
  • So it is not a flaw

    Allowing to remove photo's is a good thing, especially when it is on Facebook where everyone post disgusting pictures of food and friends. It should be considered a blessing not a flaw.