Modernizing Authentication — What It Takes to Transform Secure Access
Arul Kumar, an Indian electronics and communications engineer who describes himself as a "security enthusiast," recently received a $12,500 award from Facebook for uncovering a bug that allowed him to delete any photo from Facebook without any interaction with the user (h/t Sophos).
Facebook allows users to contact any other user to request that a photo be removed -- doing so generates a photo removal link that the photo's owner can click on to remove the image. By modifying parameters within the message, Kumar was able to redirect a photo removal request to an account he controlled, allowing him to delete the photo.
The flaw has since been fixed, and Facebook security rep Emrakul commended his work, writing, "Wanted to say your video was very good and helpful, I wish all bug reports had such a video :)"