Indian researcher Arul Kumar has unearthed a security lacuna inside Facebook Inc (NASDAQ:FB) that allow hackers to delete any image stored on the social networking site. Arul Kumar, who has been duly rewarded for his findings, has discussed this security flaw in his blog, in which he discusses the Facebook Support Dashboard.


This bug could be used through any browser and on any version, but it was simplest to access it through a mobile device.

Kumar gets bounty for his findings

Arul Kumar, 21, is an electronics and communication engineer from Tamil Nadu. Kumar is a security buff who practices ethical hacking, and has received cash rewards from Facebook Inc (NASDAQ:FB) two times so far in 2013.

Facebook Inc (NASDAQ:FB) awarded Kumar $12,500 under the website’s Bug Bounty Program. Through this program, researchers discovering any bug receive a financial reward.

Almost every image on Facebook was at risk

Initially, when Arul shared the bug with Facebook’s security team under the white-hat program, the team was not able to understand the issue. He then exemplified the security issue through a demo account, along with conveying the proof with a concept video, where he exhibited how he could remove Mark Zuckerberg’s own photos from his album—this time the flaw was tracked by Emrakul (no first name given) from the Facebook Inc (NASDAQ:FB) security team and was eventually fixed.

The process seems to be that while sending a message, any hacker can modify the Photo_id & Owners Profile_id. If the hacker successfully modifies these two parameters, then he can receive the photo, and delete the link in his inbox without the owner knowing about it.

According to Kumar, almost every photo from pages and users, plus shared and tagged images can be deleted. Additionally, photos from groups and pages can also be deleted without any restriction.

A similar prior incident

Before Kumar’s discovery, a similar incident occurred in which security expert Khalil Shreateh notified the Security team at Facebook Inc (NASDAQ:FB) how easy it was to hack a Facebook account. However, Facebook did not pay Khalil for revealing a bug because Khalil used Zuckerberg’s wall to post about the bug.