Another Major Vulnerability on Facebook : No Bounty to the Researcher

Share this article with your friends and peers...

Khalil Shreateh, a web developer who broke though the privacy on Facebook was not rewarded a bounty for discovering a bug on Facebook. The main reason was that, the researcher used a real account for testing those vulnerabilities and also, the social giant said there was a communication inconvenience between Facebook and Khalil. Today, another security researcher, Ehraz Ahmed found a big security bug where a user can delete any Facebook account by just using an URL. The vulnerability on Facebook now but the company did not give any bounty to Ehraz too.

Facebook strictly follows their policies, no matter how big the support for the researcher is from the public. Facebook can at least consider the level of security bug found by the researcher and shall be awarded the bounty.

The serious bug which made the hacker to delete a Facebook account was in an URL. The following URL made the researcher to delete any Facebook account he wished.

fb_dtsg=AQA1E-WE&selected_users[0]=[Victems Profile ID]&__user=[Attackers Profile ID]&__a=1

Ehraz reported this vulnerable link to Facebook but they didn't give a bounty for finding such vulnerability. The researcher used test accounts for testing those vulnerabilities. Facebook sent a reply for his bug repot stating that the vulnerability existed only in test accounts and not for real profiles. However, Ehraz wrote a blog post about this happening and also showed a proof that the bug worked on real accounts too. Facebook sent him the reply after fixing the bug but cleverly, Ehraz has made a video regarding the serious security bug.

The video which he made is below:

[vimeo 73853715]

The real account which Ehraz was deleted completely and is still not foud. When we tried to navigate to the profile he used the trick,it was deleted.

HexGroup Ehraz profile deleted

These continuous behavior of Facebook may discourage the researchers to find vulnerabilities on Facebook and may make them to sell the bugs for bucks. Facebook is said to have fixed another serious bug too. That is, a bug to delete any user's photos which existed so far was also fixed.

What's your thought on this? Share your comments below.

Share this article with your friends and peers...

7 people commented. Join the conversation.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • sathya says:

    Heyyy man , it did not worked for me.... i followed the exact process of u but i am able to c the victims profile... can u explain me clearly ????? is there any bug ???

  • Yes, It was revealed by researchers and finally recovered the bug. Not that line of code doesn’t work anymore.

  • Jay says:

    Now, Facebook is spreading the news that this was a false claim and he did this only to get popular, lol Facebook Grow up 🙂

  • Lhafi says:

    Hi !
    I am the one who found the Security Vulnerability that let you delete any user’s photos, I got 10000 USD for it (10k), not only photos it can be full albums , links or any type of post that you can share on profile wall , can delete photos from groups and pages too , only few stuff like docs or notes cannot be removed using this way. I found another dangerous security Vulnerability in the same time of this one , I thought you can only report a security bug per once, by the way I'm from Morocco , so sorry about my english , like I said I found another one in the same time of the first , when I reported it they said someone else he reported that before me , when I asked them about the day he reported that security bug , when they told me , the day he reported that security bug after a day that I found it ,and I'm sure the person who reported that security Vulnerability he was in my friend list , and the same person I asked to check something related with this security issue (I cant tell you until they fix it) and he said it's working , now he added me in his blacklist for no reason , and I have the proof that I am the first one who discovered this security bug ,but they said : "Unfortunately it appears that you were not the first researcher to report that issue." , they told me the first time : "Thanks. We're aware of the issue with photos from a previous report from a different researcher. We have a fix which should go out on Tuesday." it's Tuesday and still working :/ , oh about something else , I found months ago a way to post a really big pictures on groups using docs , I didn't know that's a security issue , but I knew that if you posted something like 60MPixels three times will make the group too slow and can block some browsers , and I'm sure that person reported that too because they closed it in the same week he joined to my group ,I think he just copied that code in the doc (fbml code) , I still have some pictures still working and I posted them months ago , and the picture I think he copied the code from it still working , if facebook accepted to send us a copy of the code that person he send them , I think that Will confirm that he stole that from me 🙁 . I found another two dangerous security bugs , but I didn't tell anyone about them and I used a new fb accounts that no one know with fake names for test (I can't use test accounts on these ones) , the very dangerous one that lead us to more bugs they accepted that from me , and they still investigating about it , about the seconde one they told me that someone else reported it before and they still looking for a patch. I found two others I'm waiting for facebook Reply..

  • Lhafi says:

    Please tell me where did you find info about the Security Vulnerability that let you delete any user’s photos ? ,because I didn't tell anyone about it!

  • Adil Meo says:

    there should be an award for that researcher 🙁