Delete any
Image on Facebook
When I was checking out facebook’s new features, I noticed that polling feature were added to the posts so I start working on it.
Whenever a user tries to create a poll, a request containing gif URL or image id will be sent,
poll_question_data[options][][associated_image_id] contains the uploaded image id.
When this field value changes to any other images ID, that image will be shown in poll.
After sending request with another user image ID, a poll containing that image would be created.
Our uploaded image has been replaced by victim’s image |
At the end when we try to delete the poll, victim’s image would be deleted with it by facebook as a poll property.
POC:
I appreciate Facebook security team for resolving this vulnerability quickly.