Monday, 02 September 2013 20:43

Facebook flaw allows users to delete any photo

Written by

Reading time is around minutes.
zuck

Indian enthusiast Arul Kumar who deals with computer security issues, reported a flaw in the social network Facebook, which allows you to delete any photo on Facebook within one minute. Failure is spotted within Support Dashboard portal that allows users to send complaints regarding violation or offensive content, and monitor whether the individual complaint is processed. Facebook employees handle complaints 24 hours a day, seven days a week.

If a person sends a request for the removal of any photo, such as a photo of another user, Facebook server will automatically generate a download link for that photo and send it to another user, the owner of photography. If another user clicks on a link he got from Facebook , the image will be deleted.
fbflaw
Kumar explained the operation of malicious attacks that take advantage of this flaw. Two parameters within Facebook's  "Photo ID" system and "Profile_id"  are vulnerable to malicious attacks and hackers can modify them. The modification allows an attacker with two Facebook profiles to send a request for the removal of some of the photographs from one account and the second profile receives a link to remove the photos. In this way the image can be removed without the knowledge or permission of the true owner.

For the discovery and help with the removeal of this flaw Facebook rewarded Kumar with a 12 and a half thousand dollars.

[Ed - As with all services Facebook is going to become even more of a target as these flaws get released. There may also be a increased interest in finding flaws in Facebook because of information released about the NSA's Prism program. No matter the reason Facebook really needs to step things up and soon...]

Tell us what you think in our Forum

Read 2611 times Last modified on Monday, 02 September 2013 20:46

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.