If you believe that a $ 500 billion website does not have a vulnerability, then you’re wrong.
Pouya Darabi, an Iranian web developer, discovered and reported earlier this month a critical but simple Facebook bug vulnerability that would allow anyone to delete every photo from the social media platform.
The vulnerability is the new Facebook poll feature launched earlier this month by the social media giant to publish polls containing GIF images and animations.
Darabi analyzed the feature and found that anyone who creates a new survey, the image ID (or GIF URL) in the request sent to the Facebook server easily through the image ID of a photo in Social-Media Network may replace.
Also Read: Top Android Remote Administration Tool (RAT) Of 2017
Now, after sending the request with a different user image ID (uploaded by someone else), this picture appears in the survey.
“Whenever a user attempts to create a poll, a request with a gif or id image is sent,” Poll_question_data [options] [] [associated_image_id] contains the loaded image id, “Darabi said.” If this value field changes to another image ID, that image will be displayed in the survey. ”
If the poll creator clears this post (poll), as shown in the video above, it would also seem to delete the source photo whose image ID was added to the request, even if the poll creator does not have his own photo.
The researcher said he had received $ 10,000 as premium from Facebook after reporting this vulnerability to the Social Media Network on November 3. Facebook solved this problem on November 5th.
Also Read: MS Office Built-In Feature Can Be Exploited By Creating Self Replicating Malware
This is not the first time that Facebook faces such a facebook bug. In the past, researchers discovered and reported several issues that allow them to delete videos, photo albums, and comments, and edit messages from the social media platform.
Darabi was also honored by Facebook with $ 15,000 in bypass cross-site request forgery protection (CSRF) (2015) and another $ 7,500 for a similar problem (in 2016).
