A security flaw which allowed hackers to delete any image stored on Facebook has been discovered by Indian researcher Arul Kumar — and he has been rewarded for his efforts.
The Facebook flaw, explained in length on Kumar’s blog, exploits the Facebook Support Dashboard. Considered “critical,” the bug works with any browser and any version, but was most successfully exploited through mobile devices.
The Facebook Support Dashboard is used to send Photo Removal requests to the firm. Reports are reviewed by Facebook employees, or alternatively reports can be sent directly to the image’s owner. A link is then generated to remove the photo — which if clicked by the owner, removes the offending image.
However, while sending the message, two parameters — Photo_id & Owners Profile_id — are vulnerable. If modified, then the hacker could receive any photo removal link within their inbox, without the owner’s interaction or knowledge.
Every photo has an “fbid” value, which can be found through a Facebook URL. After the image ID has been secured, then two Facebook user accounts — where one would act as a “sender” and one as a “receiver” — can be used to receive a ‘remove photo link’.
Owner profile IDs can be found by using Facebook Graph.