Facebook Bug Allowed User To Delete Any Image

A flaw in a new polling feature could have been manipulated by a malicious user to delete images of their choice across the site

A security researcher has been paid a $10,000 (£7,520) bounty for uncovering a Facebook bug that could have allowed users to delete any image on the site.

Toronto-based researcher Pouya Darabi said he uncovered the bug when analysing a new Facebook feature that lets users create polls.

Users can attach images to their polls and Darabi said he was able to attach not only his own images, but those of any user.

But when the poll was deleted, Facebook also deleted the attached image, Darabi said.

Credit: Pouya Darabi
Credit: Pouya Darabi

Image deletion

“At the end when we try to delete the poll, (the) victim’s image would be deleted with it by Facebook as a poll property,” he wrote in an advisory.

The bug meant a malicious user could have used the poll feature to remove images of their choice from Facebook.

Darabi said Facebook responded quickly, installing a temporary fix a few hours after his initial report on 3 November.

A permanent fix followed two days later. Darabi was paid the $10,000 under Facebook’s bug bounty programme, a scheme similar to those of other major IT companies intended to encourage users to find and report security problems the company has missed.

Does IoT security concern you?

  • Yes (89%)
  • No (11%)

Loading ... Loading ...

Security firm Sophos said the issue is a common one, in which a tool intended to give users access to their own objects also gives them access to those belonging to other people.

The erors are called insecure direct object references and can be manipulated to “trick the server into giving you access to something that would usually be blocked or invisible”, Sophos’ Paul Ducklin said in a blog post.

“That’s a bit like checking into a hotel, getting a key that opens your allocated room, and then stumbling across the fact that it opens all the other rooms on your floor due to a key encoding error,” Ducklin wrote.

“If you’re a programmer, remember to test everything,” he wrote.

Do you know all about security in 2017? Try our quiz!