Facebook Security Flaw Allowed Any User To Delete Any Image

Details of a Facebook security flaw have recently been shared. This latest flaw was image related and was discovered by way of an Indian researcher by the name of Arul Kumar. Perhaps key here, this flaw was first reported to Facebook and has since been corrected. As a result, Kumar has been rewarded for his discovery and has since taken to his blog to detail how this worked.

The short version is that anyone could delete an image from Facebook — even if you were not the owner of said image. This was done using two active Facebook accounts one of which acted as the sender with the other acting as the receiver. The person looking to delete an image also needed the photo_id (fbid) and profile_id details. The photo_id was found on the image you were removing and the profile_id was for that second Facebook page, the one for the receiver.

Kumar spoke about how these images could be deleted from the Shared and Tagged photos as well as from any user uploaded image that was on their Status or in their Photo Album. This process could also be used to remove images from any Page or Group as well as from any of Suggested Post. The process to have an image removed typically means a user will get the request and that will also be followed-up with confirmation of the removal.

Using the method discovered by Kumar, nobody would be notified if or when an image was deleted. Basically, by finding details for the photo_id (fbid) and profile_id Kumar was able to skip the actual process and simply delete the image by himself. This bug was reported through the Facebook Bug Bounty program which pays users for what they are calling "responsible disclosure." Or in other words, by reporting the issue to Facebook and allowing them time to test and make necessary fixes before you go public.

Anyway, for his efforts Kumar received $12,500. Facebook recently confirmed they have paid out more than $1 million dollars over the previous two years for other responsibly disclosed issues. And as a reminder, Facebook also recently made it clear that Instagram is included in the Bug Bounty program.