Facebook vulnerability: delete photos without user interaction.

 Hours ago, that was possible via the support dashboard, a portal designed to help users track the progress of the reports sent to the social network.

Revealed by Arul Kumar an Indian ethical hacker and rewarded with a $12,500 bounty for this critical vulnerability that allowed anyone to delete photos without user interaction.

Connectikpeople has discovered that the 21-year-old Arul Kumar
sent the social network a video proof-of-concept that exploited Mark Zuckerberg's profile and photos.

In fact, the bug allowed hackers to remove photos from any Facebook profile by exploiting From the Dashboard.

 “I can manually modify Photo_id & Owners Profile_id so that I can able to receive any photo removal link to my inbox. It would be done without any user’s interaction. And also Facebook will not notify owner if his photo was removed.” Said Arul Kumar.

Connectikpeople has discovered that, the vulnerability mainly existed on the mobile domain. This means, if an image wasn’t removed by the Facebook team, users had the option to send a message with a Photo Removal Request to the owner. If users sent a fake message, the server automatically generated a removal link.

Connectikpeople may also recall that, previously, Khalil Shreateh, hacked Mark Zuckerberg's Facebook profile.