Pouya Darabi, an Iranian web developer, discovered and reported a critical yet straightforward vulnerability in Facebook earlier this month that could have allowed anyone to delete any photo from the social media platform.
Darabi analyzed the feature and found that when creating a new poll, anyone can easily replace the image ID (or gif URL) in the request sent to the Facebook server with the image ID of any photo on the social media network.
Now, after sending the request with another user image ID (uploaded by someone else), that photo would appear in the poll.
“Whenever a user tries to create a poll, a request containing gif URL or image id will be sent, poll_question_data[options][associated_image_id] contains the uploaded image id,” Darabi said. “When this field value changes to any other images ID, that image will be shown in poll.”
Apparently, if the creator of the poll deletes that post (poll), as demonstrated in the video above, it would eventually delete the source photo as well, whose image ID was added to the request—even if the poll creator doesn’t own that photo.
This isn’t the first time when Facebook has been found dealing with such a vulnerability. In the past, researchers discovered and reported several issues that let them delete videos, photo albums, and commentsand modify messages from the social media platform.
Darabi has also previously been awarded by Facebook with a $15,000 bug bounty for bypassing its cross-site request forgery (CSRF) protection systems (in 2015) and another $7,500 for a similar issue (in 2016).