Facebook to pay Rs.8 lakh to Indian engineering graduate for finding critical bug

[mmadhankumar]

Arul Kumar, a 21-year-old engineering graduate, has netted a $12,500 bounty from Facebook after he found a critical bug that allowed anyone to delete any photo hosted on the social networking website. At the current rate of dollar, the bounty which Arul will get this month, is worth around Rs 8,25,000.

This is the second time Arul has won a bounty from Facebook. Around a month ago, he discovered another bug for which he was promised $1500. He is yet to get this money.

Incidentally, Arul is not a software engineer or even a programmer or network expert. He completed his engineering in electronics and communications from Hindusthan Institute of Technology in Coimbatore just a few months ago.

"Earlier this year, I heard about the Facebook bug bounty programme through which the company rewards people find who flaws on the website. Then I came to know about some Indian hackers who hunt for bugs and are rewarded," Arul told TOI from Chennai, where he is looking for a job. "I started looking for bugs and learned programming and networking through tutorials on the web. The bug that I found on Facebook doesn't require some technical wizardry. I found it because I keep an open eye when I use web services."

When Arul found the photo-related bug, he filed a report through a page that Facebook has set up for hackers. But after reviewing the report, Facebook rejected Arul's claim.

"I messed around with this for the last 40 minutes but cannot delete any victim's photo. All I can do is if the victim clicks the link and chooses to remove the photo it will be removed, which is not a security (vulnerability) obviously," a member of Facebook security team wrote in an email.

This was not new. While Facebook has a healthy reward programme for those who find bugs, in the past it has rejected claims even when presented with valid bugs. This recently happened with a Palestinian security researcher. After his bug was rejected, the Palestinian used it to break into the Facebook wall of Zuckerberg and posted a message.

Arul, however, created a video, showing how he could delete any Facebook photo. "I made this video and demonstrated the bug using the profile id of Facebook founder Mark Zuckerberg and a photo hosted by him. To recreate the flaw, I performed all the steps except the last one that would have deleted one of the photos hosted by Zuckerberg," Arul said.

After he sent this video to the Facebook team, he got a better response. His bug was accepted on August 21. "Found the bug ... fixing the bug. Wanted to say your video was very good and helpful. I wish all bug reports had such a video," a Facebook staffer wrote back.

On the same day Facebook also approved payment of $12,500 as a reward for finding the bug. The bug was fixed a few days ago and Facebook gave permission to Arul to talk about his exploit publicly.

Though many technology companies run bug bounty programmes, Facebook and Google are considered most generous.

While he has tasted some success, Arul says that he wants to learn more about programming and computer security practices. "I am just a beginner as far as ethical hacking and security research is concerned. In fact, I got my first laptop just in January," Arul said.

He said that he would give the money to his family in Attur, Salem district in Tamil Nadu. His father has a small shop in his hometown and Arul hopes to use the money to make his family more comfortable.



Facebook to pay over Rs 8 lakh to Indian engineering graduate for finding critical bug - The Times of India

 

[Omi]

great job Arul.

 

[Satvijay]

Salem youth gets a reward of Rs. 8 lakh from Facebook

The discovery of a bug on a popular social networking site has won a 21-year-old engineering graduate a reward of Rs. 8 lakh.

The malfunction reportedly enabled users on Facebook to remove pictures from other accounts without the knowledge or approval of the owner.

For his discovery, city youth Arul Kumar was awarded with Rs. 8,12,500 as part of Facebook’s bug bounty programme through which it incentivises those who find flaws on the networking site.

The student, who hails from Salem, graduated from Hindustan Institute of Technology in Coimbatore in June and is now in Chennai on the lookout for a job.

“I have always been interested in the security of frequently-used websites such as Google and Facebook. There has to be a bug somewhere, and I keep testing every feature of these sites,” said Arul.

It was during one such testing exercise that he wondered if photos uploaded on Facebook by a user could be removed by others. Users are aware of two ways to remove a picture from the site — either the account owner removes it or somebody else who has a problem with it uses the dashboard to request the Facebook team to remove it, said Arul.

“But Facebook also has an option that asks the user who uploaded the picture to remove it. When I tested the feature, it turned out the request to remove the picture was sent to the person who wanted it removed, and not to the one who uploaded it — that was the bug,” he said.

It took a night for Arul to verify the error, after which he sent a detailed report to Facebook. “But they rejected my claim saying they could not detect the bug. It was only when I sent them a video of the malfunction that they believed such a bug existed.”

Recently, Arul got a response from Facebook saying that his video was helpful, and that a payment of $12,500 would be awarded to him for finding the bug.

“This happened a week ago, but I waited till the bug was fixed so users would not be affected. Facebook does not pay those who hack into existing accounts,” he said.

Arul plans to hand the prize money to his family in Attur, Salem district, where his father runs a small shop.

“My father got me a laptop this January. I look forward to helping him in managing the family’s expenses. I hope at least one of the many companies I have applied to for a job responds to my application,” he said.


Source: The Hindu