Facebook Rewards Engineering Student from Kerala with 16000 USD for pointing out a Bug

From a picture with friends to the news of getting married, the first day at a job, the arrival of a new born in the family and even one’s mood swings and the status of a relationship, everything has to be “posted on the timeline”. The job isn’t done even after things are posted. The real purpose is only served when one sees the number of likes and shares received for a particular post and revels in his/her popularity on social media. Facebook has evolved into an integral part of social media.

Things have changed to such an extent that people have now begun to celebrate even birthdays, not to spend time with the family or for the general feeling of joy it gives, but to upload pictures on Facebook and count the likes for the picture. The Facebook storm has undoubtedly taken over the world.

However, we all neglect the fact that despite being a social media platform, the extent to which Facebook can become transparent is uncontrollable. This brings up the problem of hacking, which in the simplest terms means trespassing into others’ accounts without his/her knowledge. This is a potential threat that can lead to many serious problems.

However, 21-year-old Arun Sureshkumar did something different. As soon as he spotted some flaws on the social media platform, instead of attempting to do anything wrong, he reported the shortcomings to Facebook authorities, so that they could rectify the problem and ensure security to the users. Arun was,in turn, rewarded for his deed by the company with 16,000 USD.

Arun exposed a critical vulnerability in Facebook Business Manager, which allows business organisations to securely share and provide controlled access to their ad accounts, pages and other assets on Facebook. Pages are created on Facebook by brands, corporates and celebrities throughout the world in order to reach out to the public. Anyone with an account can create a page or help manage one, if they have been given a role of an admin or an editor. People who like the page can get updates on their news feed.

He, however, found an issue with the privacy option of Facebook for managing these pages.

Describing the severity of the vulnerability, Arun says, “Technically termed as a bug, this shortfall revolves around Insecure Direct Object Reference (IDOR),wherein internal information such as a file or database key is exposed to users without any access control. The attacker can thus manipulate those references to get access to unauthorised data. In Facebook’s case, IDOR vulnerability in Facebook Business Manager allowed me to take over any Facebook page in less than 10 seconds.”

Arun reported this vulnerability on Facebook’s Bug Bounty Programme that provides recognition and compensation to security researchers practicing responsible disclosure. He says that he was acknowledged by the Facebook team and the case was immediately registered under Facebook Page Takeover-Zero Day Vulnerability status. The issue was fixed temporarily within two hours and later the bug was removed completely.

“I was intimated about all these steps through email,” he added.

The team also discovered and fixed another issue while addressing this case, and so they decided to provide a higher bounty amount to Arun. Pointing out this bug has earned him an esteemed rank on the list of ethical hackers that Facebook has published.

“The team has informed me that I may come up to first position from the tenth, after reporting this page takeover vulnerability,” he said.

Arun has also reported various other bugs on Facebook earlier, which include Facebook Account takeover, a bug that allows an attacker to have full control over a person’s account without his consent or knowledge.

A fourth-year engineering student in Computer Science, Arun, hails from Kollam and is looking forward to discovering more such issues and says that his ultimate dream is to get a job at Facebook.

More Stories
OPINION: Love and Arranged Love