If a person sends a request for the removal of any photo, such as a photo of another user, Facebook server will automatically generate a download link for that photo and send it to another user, the owner of photography. If another user clicks on a link he got from Facebook , the image will be deleted.
Kumar explained the operation of malicious attacks that take advantage of this flaw. Two parameters within Facebook's "Photo ID" system and "Profile_id" are vulnerable to malicious attacks and hackers can modify them. The modification allows an attacker with two Facebook profiles to send a request for the removal of some of the photographs from one account and the second profile receives a link to remove the photos. In this way the image can be removed without the knowledge or permission of the true owner.
For the discovery and help with the removeal of this flaw Facebook rewarded Kumar with a 12 and a half thousand dollars.
[Ed - As with all services Facebook is going to become even more of a target as these flaws get released. There may also be a increased interest in finding flaws in Facebook because of information released about the NSA's Prism program. No matter the reason Facebook really needs to step things up and soon...]
Tell us what you think in our Forum