A security researcher has been paid a $10,000 (£7,520) bounty for uncovering a Facebook bug that could have allowed users to delete any image on the site.
Toronto-based researcher Pouya Darabi said he uncovered the bug when analysing a new Facebook feature that lets users create polls.
Users can attach images to their polls and Darabi said he was able to attach not only his own images, but those of any user.
But when the poll was deleted, Facebook also deleted the attached image, Darabi said.
“At the end when we try to delete the poll, (the) victim’s image would be deleted with it by Facebook as a poll property,” he wrote in an advisory.
The bug meant a malicious user could have used the poll feature to remove images of their choice from Facebook.
Darabi said Facebook responded quickly, installing a temporary fix a few hours after his initial report on 3 November.
A permanent fix followed two days later. Darabi was paid the $10,000 under Facebook’s bug bounty programme, a scheme similar to those of other major IT companies intended to encourage users to find and report security problems the company has missed.
Does IoT security concern you?
Security firm Sophos said the issue is a common one, in which a tool intended to give users access to their own objects also gives them access to those belonging to other people.
The erors are called insecure direct object references and can be manipulated to “trick the server into giving you access to something that would usually be blocked or invisible”, Sophos’ Paul Ducklin said in a blog post.
“That’s a bit like checking into a hotel, getting a key that opens your allocated room, and then stumbling across the fact that it opens all the other rooms on your floor due to a key encoding error,” Ducklin wrote.
“If you’re a programmer, remember to test everything,” he wrote.
Do you know all about security in 2017? Try our quiz!
Billionaire battle. Meta's boss Mark Zuckerberg overtakes Jeff Bezos to become the world’s second richest…
Internet domains used by “Russian intelligence agents and their proxies” for cyberattacks, seized by the…
UK's tech billionaire Dr Mike Lynch died from drowning on his superyacht, but his daughter's…
Another recall for thousands of Tesla Cybertrucks over delay with rear camera, with could hamper…
Browser firms write to European Commission alleging Microsoft's Edge web browser enjoys an unfair advantage
Data centre and AI spending spree continues over at Microsoft, with Italy earmarked for €4.3…