https://www.facebook.com/ajax/whitehat/delete_test_users.php? fb_dtsg=AQA1E-WE&selected_users=[Victems Profile ID]&__user=[Attackers Profile ID]&__a=1Where selected_users and __user parameters are vulnerable to run exploit.
The hacker also claimed that using the flaw hacker was also able to delete Facebook CEO Mark Zuckerberg's profile. For now the vulnerability is fixed by the Facebook team. Just four days before Facebook fixed another flaw that allowed hackers to delete photos of any user.
But Should these Bug Hunters now stop reporting to vendors and start selling exploits again in underground hacking forums ?
Note: We are trying to contact the Facebook Security team to get more information about this, Stay tuned for further updates on this.
Update : According to an official statement, provided to Computerworld blog by Michael Kirkland, communications manager at Facebook, they are calling Ahmed's claim a hoax.
This is not a real bug. We've audited our code to verify that there's no variant of the proposed exploit that works against this endpoint or any other that we've found. Furthermore, we've verified in our logs that the 'test account' being used in the demonstration video was manually deactivated by visiting https://www.facebook.com/deactivate.php.
This is simply a hoax. The html source shown in the video clearly says "No test user was deleted". We've verified in our logs that the victim account was manually deactivated by visiting https://www.facebook.com/deactivate.php.
Anyone can visit https://www.facebook.com/whitehat/accounts/ and verify that the query parameter used by this endpoint is selected_test_users not selected_users. We've also audited our code to verify that there's no variant of this exploit that works against that endpoint or any other that we've found. In fact, the most recent code change to this endpoint was in April and was routine maintenance that had no security implications.