Arul Kumar isn’t the first person to be paid for spotting a security flaw in a widely used online service, and he certainly won’t be the last.
The 21-year-old electronics and communication engineer revealed this week that Facebook paid him $12,500 for spotting a software vulnerability that could allow a hacker to delete any image stored on the social networking site. While the company is known to pay out for discoveries like this, such a large amount is thought to be rare, meaning Facebook’s security team considered it to be potentially very damaging.
Kumar, who on his blog describes himself as someone “with a passion in ethical hacking”, discovered that the bug existed with all versions of all browsers for both PC and mobile. The engineer explained on his blog that he found the flaw by going through Facebook’s Support Dashboard, which is used for sending photo removal requests to company staff.
Such requests can also be sent direct to the person who uploaded the image via the photo removal request form. The uploader receives a link, which, if clicked, removes the image.
However, Kumar found a way for a hacker to generate a photo removal link and have it sent to their own inbox, thereby allowing them to delete the image without the uploader knowing.
After bringing the bug to the attention of Facebook via its Bug Bounty program, the company’s security team agreed to pay out $12,500 for his effort.
The program didn’t quite work in the intended way for Palestinian IT researcher Khalil Shreateh, however, when his initial bug report was essentially ignored by Facebook’s security team. Frustrated, Shreateh hacked CEO Mark Zuckerberg’s wall to demonstrate the flaw. Not surprisingly, the security team then took a greater interest in the bug, though said they couldn’t pay Shreateh as he’d violated the site’s terms of service by exploiting the vulnerability. Fortunately for the IT researcher, however, the story has a happy ending.
Bugs for cash
Payouts to independent researchers for bug discoveries has been going on for a while. According to PC World, Web giant Google has paid out around $580,000 over the last three years to independent security researchers who’ve pointed out security vulnerabilities among its online tools, while Mozilla has handed over a similarly large sum, $570,000. However, their respective methods of payment differ – whereas Mozilla pays a flat sum of $3,000 to those who spot a flaw, Google pays an amount anywhere between $500 and $10,000 depending on how serious it considers the bug to be.
Google also organizes the Pwnium browser penetration contest where participants can win up to $150,000 for spotting major Chrome bugs, while the annual Pwn2Own contest also offers payments to hackers who uncover security weaknesses in popular software and mobile devices.