21-year-old engineering graduate, Arul Kumar grabbed a $12,500 bounty from Facebook as he found a critical bug that allowed anyone to delete any photo hosted on the social networking website. With the current dollar rate in the market, the bounty which Arul is supposed to receive this month is expected to worth around 8,25,000 INR.
Well, this is not the first time Arul has won a bounty from Facebook. About a month ago he was successful in discovering another bug for which he was promised $1500. He is yet to get the pay.
Surprisingly, Arul is not a software engineer or a programmer or even network expert. He completed his engineering in electronics and communications from Hindustan Institute of Technology in Coimbatore just a few months ago.
Arun told TOI from Chennai, “Earlier this year, I heard about the Facebook bug bounty programme through which the company rewards people find who flaws on the website. Then I came to know about some Indian hackers who hunt for bugs and are rewarded. I started looking for bugs and learned programming and networking through tutorials on the web. The bug that I found on Facebook doesn’t require some technical wizardry. I found it because I keep an open eye when I use web services.”
When Arul found the photo-related bug he immediately filed a report through a page that Facebook has especially set up for hackers. But, unfortunately, facebook rejected his claim after reviewing the report.
An email by a member of the Facebook security team says – “I messed around with this for the last 40 minutes but cannot delete any victim’s photo. All I can do is if the victim clicks the link and chooses to remove the photo it will be removed, which is not a security (vulnerability) obviously.”
This can not be considered as news because even though facebook has a healthy reward programme for those who can find bugs, it has been rejecting claims even when presented with valid bugs. This also happened with a Palestinian security researcher quite recently. After his bug was rejected, the Palestinian used it to break into the Facebook wall of Zuckerberg and posted a message.
But what Arul did was he created a video, showing how he could delete any Facebook photo. He says, “I made this video and demonstrated the bug using the profile id of Facebook founder Mark Zuckerberg and a photo hosted by him. To recreate the flaw, I performed all the steps except the last one that would have deleted one of the photos hosted by Zuckerberg,”
After this video to the Facebook team, he got a much better response. His bug was finally accepted on August 21. “Found the bug … fixing the bug. Wanted to say your video was very good and helpful. I wish all bug reports had such a video,” a Facebook staffer wrote back.
Facebook also approved payment of $12,500 as a reward for finding the bug on the very same day. When the bug was finally fixed a few days back, Facebook permitted Arul to talk about his exploit publicly.
Among the many technology companies running bug bounty programmes, Facebook and Google seems to be the most generous.
Arul does not want to stop here. He wants to learn more about programming and computer security practices. “I am just a beginner as far as ethical hacking and security research is concerned. In fact, I got my first laptop just in January,” Arul said.
Arul said he would give the money to his family in Attur, Salem district in Tamil Nadu. His father owns a small shop in his hometown. He wishes to use this money to uplift his family.
Akshay Agarwal
Latest posts by Akshay Agarwal (see all)
- Indian Funky Nightwear Brand for Babies and Kids Online - November 11, 2020
- Children’s Boutique Clothing Manufacturers in India - September 25, 2020
- Kids Celebrity Designer – Aastha Agarwal to showcase her collection at India Kids Fashion Week in Jaipur - September 7, 2019