Hacker to get $12,500 from Facebook for finding photo glitch

An “ethical hacking enthusiast” from southern India is to receive a $12,500 bounty from Facebook after discovering a vulnerability which allowed him to delete any photo hosted on the social network.

Posting details of the discovery on his blog this week, Arul Kumar told how the bug was initially dismissed by the company, prompting him to make a step-by-step video showing the flaw in detail.

In the video he explained how he “exploited Mark Zuckerberg’s photo from his photo album”.

Kumar held off on actually deleting any images of the Facebook founder, but on receiving the video evidence the bug was accepted as fact by Facebook, with Kumar receiving a message from one of the company’s security team telling him, “I wish all bug reports had such a video”.

Rewarded
With the vulnerability fixed in recent days, it allowed the 21-year-old to reveal full details of his work and the $12,500 reward through his blog.

Vice president for security research with Trend Micro, Rik Ferguson, said some industrious ethical hackers may see finding such issues as a solid revenue stream, with other companies such as Microsoft, Google and PayPal offering similar rewards for finding glitches within their sites, services and products.

“And why not? It’s a lot of effort to find the defects and it’s only right then that people should be rewarded for those efforts as it’s helping whoever the defect affects to develop a better end product,” he said.

Ferguson told The Irish Times that “there was a big movement a few years ago of ‘no more free bugs’ as people were sick of not being rewarded for finding errors and vulnerabilities, and in response to that a lot of companies have begun these bounty programs.”

Security blogger and head of technology for the Asia Pacific region with Sophos, Paul Ducklin, noted that the reason Facebook paid Kumar “top dollar” by bounty standards (with many bounties starting at $500) was that “it’s not just deleting a photo, it’s something which could be used for malware”.

Ducklin noted that in the case of a company such as Microsoft some bounties can reach up to $100,000, depending on the complexity and importance of the flaw discovered. Ducklin added that the decision by Kumar to present his case by video was certainly of help to his case.

Vulnerability
“The bounty amounts vary by how hard it is yes, but also how well you present your case and by doing it through video it makes it much easier for them to fix it as they can see what exactly they have to do.”

Kumar’s methods of highlighting the bug were more successful than the recent efforts of Khalil Shreateh, an IT graduate from Palestine, who had discovered a vulnerability which allowed someone to post a message on a person’s Facebook timeline, even if they were not “friends” with that individual.

After becoming upset when an official Facebook response told him “this is not a bug”, Shreateh posted a message on Zuckerberg’s personal wall utilising the vulnerability in question.

However, as this violated the company’s terms for discovering bounties Shreateh found he would not be receiving any reward and instead saw his account temporarily suspended.