Facebook vulnerability allows anyone to delete photos

A security flaw that allowed someone (even if they did not have special knowledge of hacking) to delete any photo uploaded to Facebook was discovered by an Indian security researcher Arul Kumar (the term "security researcher" is a positive reflection of the term "hacker" ). THE Arul Kumar received from Facebook 12.500 dollars for his discovery.

The flaw in Facebook, as explained in his blog Arul Kumar, exploits the service Facebook Support. Vulnerability was considered critical and works with any browser and every release.

Arul Kumar

Facebook Support dashboard is used to send requests to delete posts, pages or photos. Applications are evaluated by Facebook workers, or alternatively they are sent to the owner of the photo (if it is a photo). Along with sending the deletion request, you also send a link that if you click on it deletes the photo in question.

The link or in Greek the link contains, two parameters Photo_id & Owners Profile_id. That is, it describes exactly who the owner is and what the image is. If these two parameters are modified, then the hacker could delete any photo without the owner knowing.

  Mike Hughes: The supporter of the flat Earth is launching a rocket

Each photo has a "fbid" value, which can be found in the URL of the photo and is essentially its identity.
The owner's profile IDs can be found using Facebook Graph.

Arul Kumar gave some examples:

https://m.facebook.com/report/social/?phase=0&next_phase=8&pp={“first_dialog_phase”: 8,”support_dashboard_item_id”:396746693760717,”next”:”\/settings\/support\/details\/?fbid=396746693760717″,”actions_to_take”:”{\”send_message\”:\”send_message\”}”}&content_type=2&cid=PHOTO_ID&rid=PROFILE_ID

Look at the URL. You can see the "cid" & "rid" parameters that you can use to remove any photo by changing the values ​​of "photo_id" and "profile_id".

If then, if you click the "Continue" button, Facebook will automatically send a photo removal link to the profile you set.

If you find it a good idea, do not try it because the bug has already been corrected.

Read more

Registration in iGuRu.gr via email

Your email for sending each new post

Follow us on Google News iGuRu.gr at Google news

Leave a reply

Your email address Will not be published.

  + 14 = 21

Previous Story

He canceled an email and contacted the NSA to give him a copy

Next Story

Gamma Group company with James Bond tracking tools