Who says Facebook doesn’t pay out bounties when bugs are reported? Arul Kumar, an electronics and communications engineer from Tamil Nadu in India, is $12,500 richer after reporting a bug that allowed users to delete photos from Facebook via the social network’s support dashboard.
Facebook Security eliminated the bug, which worked via the photo removal request feature in the social network’s support dashboard. Kumar described in a blog post how he was able to manually alter the user IDs of the sender and receiver of photo removal requests, with two Facebook accounts logged in simultaneously, adding that once the account that was designated as the photo owner received the removal request, photos could be deleted immediately, and the users who posted those photos would be none the wiser.
But unlike Shreateh, who exploited his bug to post on the Timeline of Facebook Co-Founder and CEO Mark Zuckerberg, Kumar provided video documentation of the bug he discovered, leading to its removal by Facebook Security and his reward.
The initial email Kumar received from Facebook security read (unedited):
Yeah I messed around with this for the last 40 minutes but cannot delete any victims photo. All I can do is if the victim clicks the link and chooses to remove the photo it will be removed which is not a security vuln (vulnerability) obviously.
After Kumar sent the video seen below, the same Facebook security staffer emailed:
OK found the bug, fixing the bug. The fix should be live by sometime early tomorrow. I will let you know when it is live so you can retest. Wanted to say your video was very good and helpful, I wish all bug reports had such a video 🙂
Readers: Have you ever discovered a bug on Facebook?
Yellow bug image courtesy of Shutterstock.