Another Major Vulnerability on Facebook : No Bounty to the Researcher
Khalil Shreateh, a web developer who broke though the privacy on Facebook was not rewarded a bounty for discovering a bug on Facebook. The main reason was that, the researcher used a real account for testing those vulnerabilities and also, the social giant said there was a communication inconvenience between Facebook and Khalil. Today, another security researcher, Ehraz Ahmed found a big security bug where a user can delete any Facebook account by just using an URL. The vulnerability on Facebook now but the company did not give any bounty to Ehraz too.
Facebook strictly follows their policies, no matter how big the support for the researcher is from the public. Facebook can at least consider the level of security bug found by the researcher and shall be awarded the bounty.
The serious bug which made the hacker to delete a Facebook account was in an URL. The following URL made the researcher to delete any Facebook account he wished.
fb_dtsg=AQA1E-WE&selected_users=[Victems Profile ID]&__user=[Attackers Profile ID]&__a=1
Ehraz reported this vulnerable link to Facebook but they didn't give a bounty for finding such vulnerability. The researcher used test accounts for testing those vulnerabilities. Facebook sent a reply for his bug repot stating that the vulnerability existed only in test accounts and not for real profiles. However, Ehraz wrote a blog post about this happening and also showed a proof that the bug worked on real accounts too. Facebook sent him the reply after fixing the bug but cleverly, Ehraz has made a video regarding the serious security bug.
The video which he made is below:
The real account which Ehraz was deleted completely and is still not foud. When we tried to navigate to the profile he used the trick,it was deleted.
These continuous behavior of Facebook may discourage the researchers to find vulnerabilities on Facebook and may make them to sell the bugs for bucks. Facebook is said to have fixed another serious bug too. That is, a bug to delete any user's photos which existed so far was also fixed.
What's your thought on this? Share your comments below.