A security researcher has released a bug that would let anybody erase any photograph from Facebook, whether the photo was yours, mine, or Zuckerberg’s — and was given a large sum of cash for the uncovering.
Facebook’s white hat program states, those who discover bugs and follow Facebook’s rules in reporting them are paid a bounty. The minimal bounty for any bug is set at $500, with Facebook giving more supported on the bug’s severity.
In the researchers report of this bug, security researcher Arul Kumar says he was paid a whopping $12,500.
The vulnerability relied on a weakness in Facebook’s support, which allows a user to see the condition of reports they have sent for review. Whenever a user reported a photo and Facebook determined not to forcibly erase it, that user would get a link that let them send a speedy takedown request whoever had uploaded the image, including a delete button.
Video demo of the vulnerability.