Facebook pays researcher $12.5K bounty for uncovering image-deletion security flaw


Arul Kumar isn’t the first person to be paid for spotting a security flaw in a widely used online service, and he certainly won’t be the last.

The 21-year-old electronics and communication engineer revealed this week that Facebook paid him $12,500 for spotting a software vulnerability that could allow a hacker to delete any image stored on the social networking site. While the company is known to pay out for discoveries like this, such a large amount is thought to be rare, meaning Facebook’s security team considered it to be potentially very damaging.

Ethical hacker

Kumar, who on his blog describes himself as someone “with a passion in ethical hacking”, discovered that the bug existed with all versions of all browsers for both PC and mobile. The engineer explained on his blog that he found the flaw by going through Facebook’s Support Dashboard, which is used for sending photo removal requests to company staff.

Such requests can also be sent direct to the person who uploaded the image via the photo removal request form. The uploader receives a link, which, if clicked, removes the image.

However, Kumar found a way for a hacker to generate a photo removal link and have it sent to their own inbox, thereby allowing them to delete the image without the uploader knowing.

After bringing the bug to the attention of Facebook via its Bug Bounty program, the company’s security team agreed to pay out $12,500 for his effort.

facebook flaw

The program didn’t quite work in the intended way for Palestinian IT researcher Khalil Shreateh, however, when his initial bug report was essentially ignored by Facebook’s security team. Frustrated, Shreateh hacked CEO Mark Zuckerberg’s wall to demonstrate the flaw. Not surprisingly, the security team then took a greater interest in the bug, though said they couldn’t pay Shreateh as he’d violated the site’s terms of service by exploiting the vulnerability. Fortunately for the IT researcher, however, the story has a happy ending.

Bugs for cash

Payouts to independent researchers for bug discoveries has been going on for a while. According to PC World, Web giant Google has paid out around $580,000 over the last three years to independent security researchers who’ve pointed out security vulnerabilities among its online tools, while Mozilla has handed over a similarly large sum, $570,000. However, their respective methods of payment differ – whereas Mozilla pays a flat sum of $3,000 to those who spot a flaw, Google pays an amount anywhere between $500 and $10,000 depending on how serious it considers the bug to be.

Google also organizes the Pwnium browser penetration contest where participants can win up to $150,000 for spotting major Chrome bugs, while the annual Pwn2Own contest also offers payments to hackers who uncover security weaknesses in popular software and mobile devices.

[via Cnet]

Social Media

This event topped Facebook’s biggest moments of the year — again

As the year comes to a close, Facebook is looking back on what users discussed most over the last year. For two years in a row, International Women's Day topped the list. So what else is on the list?
Movies & TV

'Prime'-time TV: Here are the best shows on Amazon Prime right now

There's more to Amazon Prime than free two-day shipping, including access to a number of phenomenal shows at no extra cost. To make the sifting easier, here are our favorite shows currently streaming on Amazon Prime.
Movies & TV

Out of movies to binge? Our staff picks the best flicks on Hulu right now

From classics to blockbusters, Hulu offers some great films to its subscribers. Check out the best movies on Hulu, whether you're into charming adventure tales or gruesome horror stories.
Smart Home

The best washing machines make laundry day a little less of a chore

It takes a special kind of person to love doing laundry, but the right machine can help make this chore a little easier. Check out our picks for the best washing machines on the market right now.
Emerging Tech

Feast your eyes on the wildest, most elaborate Rube Goldberg machines ever built

Want to see something totally mesmerizing? Check out several of the best Rube Goldberg machines from across the internet, including one that serves cake and other that do ... nothing particularly useful.
Social Media

This band owns Twitter, according to list of top accounts and tweets for 2018

What was the biggest buzz on Twitter in 2018? Twitter's 2018 Year in Review highlights the biggest tweets, accounts, and hashtags. The most-tweeted celebrities, movies, TV shows, athletes, politicians and more in Twitter's 2018 trends.
Social Media

What do yodeling and Kylie Jenner have in common? YouTube’s top 2018 videos

In a true nod to the variety found on YouTube, the platform's top 10 list of videos from 2018 range from celebrities to sports, from perfectly tossing a picture frame on the wall to a kid yodeling in aisle 12 at Walmart.
Home Theater

It took Tom Cruise to raise awareness of this troublesome TV setting

Tom Cruise, in an unexpected PSA tweet, asks you to turn off motion interpolation on your TV, but stops short of how to do it. Here's more on the topic, along with links to a guide on how to rid your TV of the dreaded "soap opera effect."

Make a GIF of your favorite YouTube video with these great tools

Making a GIF from a YouTube video is easier today than ever, but choosing the right tool for the job isn't always so simple. In this guide, we'll teach you how to make a GIF from a YouTube video with our two favorite online tools.

Amazon scouted airport locations for its cashier-free Amazon Go stores

Representatives of Amazon Go checkout-free retail stores connected with officials at Los Angeles and San Jose airports in June to discuss the possibility of cashier-free grab-and-go locations in busy terminals.
Social Media

Snapchat facial recognition could soon power a new portrait mode, code suggests

Digging into Snapchat's code suggests a handful of upcoming camera features, including a portrait mode. The feature appears to use facial recognition A.I. to blur the background. The code also suggests an updated camera interface.

Google+ continues to sink with a second massive data breach. Abandon ship now

Google+ was scheduled to shut its doors in August 2019, but the second security breach in only a few months has caused the company to move its plan forward a few months. It might be a good idea to delete your account sooner than later.
Social Media

Walkie-talkie voice messaging finally comes to Instagram

In its latest grab from messaging apps, Instagram now lets you send walkie-talkie style voice messages. Apps such as Facebook Messenger, WhatsApp, Snapchat, and iMessage have offered the feature for some time.
Social Media

‘YouTube Rewind 2018’ is about to become its most disliked video ever

YouTube is about to achieve a record it really doesn't want — that of "most-disliked video." Yes, its annual recap of featuring popular YouTubers has gone down really badly this year.