- Joined
- 6 May 2012
- Messages
- 5,049
- Solutions
- 6
- Reaction score
- 8,894
Arul Kumar, a 21-year-old engineering graduate, has netted a $12,500 bounty from Facebook after he found a critical bug that allowed anyone to delete any photo hosted on the social networking website. At the current rate of dollar, the bounty which Arul will get this month, is worth around Rs 8,25,000.
This is the second time Arul has won a bounty from Facebook. Around a month ago, he discovered another bug for which he was promised $1500. He is yet to get this money.
Incidentally, Arul is not a software engineer or even a programmer or network expert. He completed his engineering in electronics and communications from Hindusthan Institute of Technology in Coimbatore just a few months ago.
"Earlier this year, I heard about the Facebook bug bounty programme through which the company rewards people find who flaws on the website. Then I came to know about some Indian hackers who hunt for bugs and are rewarded," Arul told TOI from Chennai, where he is looking for a job. "I started looking for bugs and learned programming and networking through tutorials on the web. The bug that I found on Facebook doesn't require some technical wizardry. I found it because I keep an open eye when I use web services."
When Arul found the photo-related bug, he filed a report through a page that Facebook has set up for hackers. But after reviewing the report, Facebook rejected Arul's claim.
"I messed around with this for the last 40 minutes but cannot delete any victim's photo. All I can do is if the victim clicks the link and chooses to remove the photo it will be removed, which is not a security (vulnerability) obviously," a member of Facebook security team wrote in an email.
This was not new. While Facebook has a healthy reward programme for those who find bugs, in the past it has rejected claims even when presented with valid bugs. This recently happened with a Palestinian security researcher. After his bug was rejected, the Palestinian used it to break into the Facebook wall of Zuckerberg and posted a message.
Arul, however, created a video, showing how he could delete any Facebook photo. "I made this video and demonstrated the bug using the profile id of Facebook founder Mark Zuckerberg and a photo hosted by him. To recreate the flaw, I performed all the steps except the last one that would have deleted one of the photos hosted by Zuckerberg," Arul said.
After he sent this video to the Facebook team, he got a better response. His bug was accepted on August 21. "Found the bug ... fixing the bug. Wanted to say your video was very good and helpful. I wish all bug reports had such a video," a Facebook staffer wrote back.
On the same day Facebook also approved payment of $12,500 as a reward for finding the bug. The bug was fixed a few days ago and Facebook gave permission to Arul to talk about his exploit publicly.
Though many technology companies run bug bounty programmes, Facebook and Google are considered most generous.
While he has tasted some success, Arul says that he wants to learn more about programming and computer security practices. "I am just a beginner as far as ethical hacking and security research is concerned. In fact, I got my first laptop just in January," Arul said.
He said that he would give the money to his family in Attur, Salem district in Tamil Nadu. His father has a small shop in his hometown and Arul hopes to use the money to make his family more comfortable.
Facebook to pay over Rs 8 lakh to Indian engineering graduate for finding critical bug - The Times of India