In a mail to thehackernews hacker said he was able to remove the Cover photo using a private bug which he used the after he reported the photo. He used the “‘I don’t like this photo of me” setting in Facebook, after which he said to used the Fiddler2 Debugger Program to edit the request for change of photograph. The same Hacker also posted a video about this exploit but the video is very unclear about the procedure he used to hack in to Mark’s account or if it was indeed hacked.
As the Cover photo Mark Zuckerberg was left removed for hours, and the hacker who claimed to be behind it was unable to provide any solid proof of the exploit. Further the hacker who claimed to have done the exploit refused to reveal any identity or Twitter handle.
We at Techworm dug a little bit deeper into the matter to find out exactly what had happened to Mark Zukerberg’s Cover Photo for those couple of hours. We contacted the hacker who made the claim and asked if he is having any proof of concept with him, and unfortunately he was unable to provide us any, we asked if the bug is still present and can he remove more photo using his method, he said the bug was fixed soon after the news was out in media.
However the hacker was able to provide us with a screenshot of the message he sent to the Facebook Security Engineers and their subsequent reply to him. Th screenshot provided by the hacker shows he reported the vulnerability to the Facebook security team, but the bug was fixed before he reported.
The blurred link provided in the report which looks similar to “https://x.facebook.com/editphoto.php?id=10100849926252771&__user=zuck” followed by few additional parameters. the link when opened provides option to remove or rotate any photo from Facebook, You just need to put the right photo id of the victim. Unfortunately when you click the delete photo button, it shows a message “The page you requested cannot be displayed right now. It may be temporarily unavailable, the link you clicked on may be broken or expired, or you may not have permission to view this page.
We asked the hacker if he can send us the complete link which he exploited to remove Cover photo of Mark Zuckerberg, which he refused by saying that he is going to use the same bug to generate few new exploits, which he will report in Facebook bounty program for their cash rewards. He also categorically stated that he will not go public this time around as he feels he lost out on the bounty prize due to the advance publicity the Zuckerberg’s cover photo received.
Ultimately, we feel that there is no solid proof for the claim that he was the one who removed the photo, or the photo was removed by Mark himself. Facebook Security Team issued a standard reply when asked to comment on the above episode “There is no merit to this claim. We have confirmed there was no suspicious activity on the account.”