A 21-year-old communications engineer and self-professed security enthusiast named Arul Kumar, from India, is about to get his second bounty from Facebook for pointing out a flaw in the system. This one was pretty interesting.
Basically, the hacker uses the support dashboard to request the removal of a photo from someone’s account. During the request process, the hacker has access to the photo owner’s Profile_id. Change the Profile_id to the hacker’s own id and the request is sent to the hacker instead of the owner. The hacker approves the request and the photo is deleted.
This movie is from Arul’s blog post. Facebook has fixed this hole, thanks to Arul’s detective work. Good job, Arul.
Delete any Photo from Facebook by Exploiting Support Dashboard from Arul Kumar.V on Vimeo.