In a nice example of how Facebook’s bounty program should work (in contrast with that mess a few weeks ago), a security researcher has unearthed a bug that would let anyone delete just about any photo from Facebook — whether the photo was yours, mine, or Zuckerberg’s — and was paid a solid chunk of cash for the discovery.
According to the terms of Facebook’s white hat program, those who find bugs and follow Facebook’s rules in reporting them are paid a bounty. The minimum bounty for any bug is set at $500, with Facebook paying more based on the bug’s severity. Most payouts I’ve heard of tend to be around $1,500. In his write up of this bug, security researcher Arul Kumar says he was paid $12,500 — roughly 25x the base bounty.
Why so much? It’s likely because this bug was really, really simple to reproduce. Seemingly a matter of changing a few parameters in a URL, it would have been trivial to create a tool that allowed a malicious user to delete other user’s photos en masse.
The bug, says Arul, relied on a weakness in Facebook’s support dashboard, which allows a user to see the status of reports they’ve sent for review (for reporting things like inappropriate profiles or photos, or spam.)
If a user reported a photo and Facebook decided not to forcibly delete it, that user would get a link that let them send a quick takedown request whoever had uploaded the image, complete with a one-click delete button. This link, it seems, was the weakness.
By changing a pair of numbers in the link’s URL, Arul says he could take down any photo, from any user — regardless of who that photo actually belonged to, and whether or not that photo had ever actually been reported. He could send a takedown request for a photo on some celebrity’s account, for example, to his own secondary profile. The target account wouldn’t see a thing until their photo was already gone.
Here’s Arul’s video, demonstrating the weakness:
Funnily enough, Arul demonstrates his exploit on Mark Zuckerberg’s account — the same thing that kept a researcher from claiming a bounty a few weeks ago (as Facebook prohibits researchers from testing their exploits on any real accounts). The difference here, though, is that Arul never actually affected Zuck’s account. Whereas the previous researcher used his exploit to post news of his bug to Zuck’s otherwise private wall, Arul arms the bug to show how it all comes together but never pushes that last button to delete the photo.
The bug should now be fixed.