Thanks to a bug on Facebook, anyone could have deleted any image on the social networking platform. The security flaw came along with the new polling feature that the website launched earlier this November. While the feature was focused on enabling users to take votes on whatever they like, it also enabled hackers to delete just about any picture on the entire website thanks to insecure direct object references.
Pouya Darabi, a security researcher, discovered this bug in the new polling feature. He spotted that whenever someone was creating a poll, it would send a request to Facebook servers carrying a unique ID for the picture included. Darabi found that he could replace that ID with an ID of any other image or gif on the network regardless of who had uploaded it and that image would appear along with the poll.
If a user then chooses to delete that poll, there goes the image, as well.
When this field value changes to any other images ID, that image will be shown in poll. After sending request with another user image ID, a poll containing that image would be created. At the end when we try to delete the poll, victim’s image would be deleted with it by facebook as a poll property.
The flaw worked for all images even those that were set to private. When the poll was removed, it would delete the image completely from the platform, not just from the poll. While it is unclear how someone would obtain the ID of other people’s photos, it is likely that a hacker could guess random numbers until they got an image.
Here’s the proof of concept video posted by the bug hunter:
Facebook was quick to fix this issue and has awarded Darabi $10,000 in bug bounty. SecurityWeek reports that the same researcher earned another significant bounty from Facebook in 2015 when he bypassed the platform’s cross-site request forgery (CSRF) protection systems. That had earned Darabi $15,000 in bounty. Then, in 2016, Darabi earned $7,500 for discovering another security problem in the social networking site.