Facebook flaw allowed hackers to delete posted photos

A security researcher is rewarded with $12,500 after discovering the security flaw that left photos fair game.

Charlie Osborne
Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
2 min read

A security flaw that allowed hackers to delete any image stored on Facebook has been discovered by Indian researcher Arul Kumar -- and he has been rewarded for his efforts.

The Facebook flaw, explained in length on Kumar's blog, exploits the Facebook Support Dashboard. Considered "critical," the bug works with any browser and any version, but was most successfully exploited through mobile devices.

The Facebook Support Dashboard is used to send Photo Removal requests to the firm. Reports are reviewed by Facebook employees, or alternatively reports can be sent directly to the image's owner. A link is then generated to remove the photo -- which if clicked by the owner, removes the offending image.

However, while sending the message, two parameters -- Photo_id & Owners Profile_id -- are vulnerable. If modified, then the hacker could receive any photo removal link within their inbox, without the owner's interaction or knowledge.

Every photo has an "fbid" value, which can be found through a Facebook URL. After the image ID has been secured, then two Facebook user accounts -- where one would act as a "sender" and one as a "receiver" -- can be used to receive a 'remove photo link'.

Owner profile IDs can be found by using Facebook Graph.

The security enthusiast explains how the hack works:

Arul Kumar

https://m.facebook.com/report/social/?phase=0&next_phase=8&pp={"first_dialog_phase": 8,"support_dashboard_item_id":396746693760717,"next":"\/settings\/support\/details\/?fbid=396746693760717","actions_to_take":"{\"send_message\":\"send_message\"}"}&content_type=2&cid=PHOTO_ID&rid=PROFILE_ID
Look at the URL. You can able to find "cid" & "rid" Parameters at end.These are vulnerable parameters from which we can able to send a Photo Removal Link of any photo to a receivers inbox by modifying value of "photo_id" & "profile_id".
cid= Photo_id (Just include your target photo's Id value as "cid" input )
rid= Profile_id (You need to include receiver's Profile ID as "rid" input )
After including those values, press enter. Then If you click the "Continue" Button Facebook will automatically send the photo Removal Link to your Receiver Profile.

Kumar said that any photo can be removed from pages and users, shared and tagged images can be deleted, and photos could be removed from groups, pages and suggested posts without restriction.

As a result, Kumar has been awarded $12,500 through the website's Bug Bounty program, which encourages researchers to report their findings for financial reward, and the bug has been fixed.

This article originally appeared on ZDNet.