Facebook flaw allows hackers to delete any photo

A bug bounty hunter has been rewarded with $12,500 after discovering the security flaw which left your photos fair game.
Written by Charlie Osborne, Contributing Writer
Credit: CNET UK

A security flaw which allowed hackers to delete any image stored on Facebook has been discovered by Indian researcher Arul Kumar -- and he has been rewarded for his efforts.

The Facebook flaw, explained in length on Kumar's blog, exploits the Facebook Support Dashboard. Considered "critical," the bug works with any browser and any version, but was most successfully exploited through mobile devices.

The Facebook Support Dashboard is used to send Photo Removal requests to the firm. Reports are reviewed by Facebook employees, or alternatively reports can be sent directly to the image's owner. A link is then generated to remove the photo -- which if clicked by the owner, removes the offending image.

However, while sending the message, two parameters -- Photo_id & Owners Profile_id -- are vulnerable. If modified, then the hacker could receive any photo removal link within their inbox, without the owner's interaction or knowledge.

Every photo has an "fbid" value, which can be found through a Facebook URL. After the image ID has been secured, then two Facebook user accounts -- where one would act as a "sender" and one as a "receiver" -- can be used to receive a 'remove photo link'.

Owner profile IDs can be found by using Facebook Graph.


The security enthusiast explains how the hack works:

https://m.facebook.com/report/social/?phase=0&next_phase=8&pp={"first_dialog_phase": 8,"support_dashboard_item_id":396746693760717,"next":"\/settings\/support\/details\/?fbid=396746693760717","actions_to_take":"{\"send_message\":\"send_message\"}"}&content_type=2&cid=PHOTO_ID&rid=PROFILE_ID

Look at the URL. You can able to find "cid" & "rid" Parameters at end.These are vulnerable parameters from which we can able to send a Photo Removal Link of any photo to a receivers inbox by modifying value of "photo_id" & "profile_id".


cid= Photo_id (Just include your target photo’s Id value as "cid" input )

rid= Profile_id (You need to include receiver’s Profile ID as "rid" input )

After including those values, press enter. Then If you click the "Continue" Button Facebook will automatically send the photo Removal Link to your Receiver Profile.

Kumar said that any photo can be removed from pages and users, shared & tagged images can be deleted, and photos could be removed from groups, pages and suggested posts without restriction.

As a result, Kumar has been awarded $12,500 through the website's Bug Bounty program, which encourages researchers to report their findings for financial reward, and the bug has been fixed.

Editorial standards