Pinoy Hack News – PHN
It is exactly a security researcher “Arul Kumar” can do when he found a flaw in Facebook’s “Support Dashboard.” It then allow him to receive a bounty of $12,500 or approximately P555,000.
So how did the bug works?
From Arul’s blog.
Description:
This flaw exists while sending message.I can manually modify Photo_id & Owners Profile_id so that I can able to receive any photo removal link to my inbox.It would be done without any user’s Interaction.And also Facebook will not notify owner if his photo was removed.
Vulnerable URL/Parameter:
m.facebook.com/report/social/?phase=0&next_phase=8&pp={“first_dialog_phase”:8,”support_dashboard_item_id”:396746693760717,”next”:”\/settings\/support\/details\/?fbid=396746693760717″,”actions_to_take”:”{\”send_message\”:\”send_message\”}”}&content_type=2&cid=PHOTO_ID&rid=PROFILE_ID
Changing the vulnerable parameter in the url above(in bold), it allows the hacker to receive any photo removal link directly to his inbox rather than the Facebook photo’s real owner.
Photo is deleted within minutes.
You can check the video embedded above or Arul’s blog post.
The vulnerability is considered critical since it operates – deleting any Facebook photo – without user interaction.
