SHARE

The Latest Vulnerability in Facebook revealed by an Indian Security Researcher named “Arul Kumar”, he found out an vulnerability which could allow to delete photo of any Facebook user within a minute.

Within a Minute, yes it is like that, he found a Loop hole in The Support Dashboard of Facebook, he also explained the Vulnerability in his blog, he writes:

Vulnerable URL & Parameters:

https://m.facebook.com/report/social/?phase=0&next_phase=8&pp={"first_dialog_phase": 8,"support_dashboard_item_id":396746693760717,"next":"\/settings\/support\/details\/?fbid=396746693760717","actions_to_take":"{\"send_message\":\"send_message\"}"}&content_type=2&cid=PHOTO_ID&rid=PROFILE_ID

Look at the URL You can able to find “cid” & “rid” Parameters at end.These are vulnerable parameters from which we can able to send Photo Removal Link of any photo to my receivers inbox by modifying value of “photo_id” & “profile_id”. 
where,
    cid=  Photo_id (Just include your target photo’s Id value as “cid” input )
    rid=  Profile_id (You need to include receiver’s Profile ID as “rid” input )

After Including those values ,Press enter.Then If you click “Continue” Button Facebook will automatically send photo Removal Link to your Receiver Profile.From your Receiver Profile,You can able to remove photo which you have added in that Vulnerable Parameter.Now this Bug has been Fixed fully.

He also uploaded a video to show the vulnerability:

Facebook also awarded him $12,500 as he reported this vulnerability to Facebook Security team, last month a security researcher from Palestine hacked Mark Zuckerberg’s Timeline to report a BUG but was not awarded because he violated the terms & conditions of Facebook. Later a donation campaign raised thousands of dollars for him.

Today, the hacker who hacked the Mark’s timeline gets his own account hacked by a hacker, who used Brute Force attack to crack his password.

NO COMMENTS

LEAVE A REPLY

This site uses Akismet to reduce spam. Learn how your comment data is processed.