‘Critical’ Facebook flaw left user images vulnerable to deletion by hackers

Indian researcher Arul Kumar has uncovered a security flaw that allowed hackers to delete any image from any Facebook user’s profile, without the user’s knowledge or consent.
The flaw has been classed as ‘critical’ and worked by exploiting the Facebook Support Dashboard, which is used to send Photo Removal requests to the company. These reports are usually either seen by Facebook’s employees or sent directly to the image’s owner with an automatically generated link to remove the photo. Once clicked by the user, the target image is then deleted.

The new bug has revealed that while sending these images, two parameters were left open and vulnerable. If a hacker modified Photo_id and Owners Profile_id, they were able to bypass any user interaction and simply have the removal link sent to their own personal inbox instead.

The owner profile IDs can be found through a simple search with Facebook Graph, and each image contains the fbid value which can found in a Facebook URL. Once the photo’s ID had been pinned down, two Facebook user accounts could then be inserted in order to receive the link needed to remove the image, with one person acting as a sender and the other as a receiver.
Kumar has warned that any photo could be taken from any page or user, including shared and tagged images, photos from groups and pages and images from suggested posts. The researcher has since been awarded a $12,500 bounty through Facebook’s Bug Bounty program and the company says that the error has since been fixed.

If you’re concerned about the security of your personal data then a VPN service can offer you added peace of mind when surfing the web. A VPN gives your computer an extra layer of protection while you’re using the internet, helping to ensure that the information stored on your device remains securely defended against any external forces attempting to access it.