Facebook may be the largest social network and a digital behemoth, but along with its size, come security threats. And apparently there’s a lot of them and there’s good money to be made calling them out. Kerala boy Facebook bug bounty
An 18 year old boy from Kerala is the latest to have identified a bug in Facebook’s system and entitled himself to a handsome bug bounty award of $16,000 or almost 11 lakh INR.
Arun S Kumar, an engineering student from Kollam, Kerala has identified a bug that could potentially harm Pages, a popular Facebook property. “I found a bug that can help any intruder exploit the pages owned by other people in a new platform introduced by the FB to help business, which was vulnerable,” Arun told Deccan Chronicle.
The bug was found in an option ‘transfer page’ under the FB business, which enables attachment of a specified page to another business registered under the FB business platform. “The algorithm that helps in transferring the page was wrong. The message that is transferred while doing the transfer option can be intercepted using a third party software. The ID, source and destination pages and the role of the user as manager that gives the administrator the rights are passed as parameters to the Facebook server to hack the system. The error in the system is that the page ID is not rechecked,” Arun says.
This is a critical security lapse as millions of Pages exist and are created everyday on Facebook. Big businesses depend on it for branding, while some medium and small businesses can run entirely based on their Facebook pages. Arun’s timely bug identification can help Facebook fix the lapse.
Just a few months, another India, an engineer with a day job at Flipkart had found a bug in Facebook and had got a 10 lakh reward. While Facebook’s average bug bounty reward ranges at around $1000, Arun’s was supposedly on the higher side because of the criticality of the bug. “The majority of the bounty is for the page takeover capability of your exploit, but while investigating your report, we discovered and fixed another issue as well. So the bounty is a little higher because of that,” Arun was informed.
The bug has been permanently fixed within six hours after it was acknowledged.” According to Facebook, since the inception of the Facebook bug bounty program, the tech giant has paid out more than $3 million to its beneficiaries.